From a8076bf25e67c914f510495b68af1b910d559f6d Mon Sep 17 00:00:00 2001 From: Caleb Xu Date: Mon, 20 Oct 2025 14:35:51 -0400 Subject: [PATCH 1/2] Enforce 4 day cooldown in dependabot cooldown Signed-off-by: Caleb Xu --- .github/dependabot.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index ce5ea385..7fb535a9 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -6,6 +6,8 @@ updates: directory: "/" schedule: interval: "weekly" + cooldown: + default-days: 4 groups: dev-dependencies: dependency-type: "development" @@ -15,4 +17,6 @@ updates: directory: "/" schedule: interval: "weekly" + cooldown: + default-days: 4 From fb1d07243edb154d20333465df1ebd1e86db8b2c Mon Sep 17 00:00:00 2001 From: Caleb Xu Date: Tue, 19 Aug 2025 11:57:04 -0400 Subject: [PATCH 2/2] Improve security of GitHub Actions workflows Signed-off-by: Caleb Xu --- .../workflows/add-release-info-to-pyxis.yml | 11 +++-- .github/workflows/build-main.yml | 45 ++++++++++++------- .github/workflows/build-multiarch.yml | 34 +++++++++----- .github/workflows/build-release.yml | 25 ++++++++--- .github/workflows/check-actions.yml | 28 ++++++++++++ .github/workflows/code-review.yml | 37 +++++++++------ .github/workflows/copy-to-rhisv.yml | 20 ++++++--- .github/workflows/go.yml | 10 +++-- .github/workflows/release-artifacts.yml | 13 +++--- 9 files changed, 159 insertions(+), 64 deletions(-) create mode 100644 .github/workflows/check-actions.yml diff --git a/.github/workflows/add-release-info-to-pyxis.yml b/.github/workflows/add-release-info-to-pyxis.yml index 292d0346..acfd80db 100644 --- a/.github/workflows/add-release-info-to-pyxis.yml +++ b/.github/workflows/add-release-info-to-pyxis.yml @@ -37,13 +37,16 @@ jobs: - name: Call Pyxis API run: | curl --fail-with-body \ - --cert '${{ env.CERT_FILE_LOCATION }}' \ - --key '${{ env.KEY_FILE_LOCATION }}' \ + --cert "${CERT_FILE_LOCATION}" \ + --key "${KEY_FILE_LOCATION}" \ --pass '${{ secrets.certificatePassword }}' \ -H 'Content-Type: application/json' \ - -d '{"commit":"${{ inputs.commit }}","enabled_for_testing":true,"name":"github.com/redhat-openshift-ecosystem/openshift-preflight","version":"${{ inputs.tag }}"}' \ + -d "${DATA_PAYLOAD}" \ -X POST \ - 'https://${{ inputs.host }}/v1/tools' | jq + "${PYXIS_ENDPOINT}" | jq + env: + DATA_PAYLOAD: '{"commit":"${{ inputs.commit }}","enabled_for_testing":true,"name":"github.com/redhat-openshift-ecosystem/openshift-preflight","version":"${{ inputs.tag }}"}' + PYXIS_ENDPOINT: 'https://${{ inputs.host }}/v1/tools' - name: Cleanup if: always() diff --git a/.github/workflows/build-main.yml b/.github/workflows/build-main.yml index 26a21134..78db0678 100644 --- a/.github/workflows/build-main.yml +++ b/.github/workflows/build-main.yml @@ -6,9 +6,11 @@ on: env: IMAGE_NAME: preflight - + jobs: build-main: + # TODO: Set explicit permissions for this job. + # zizmor: ignore[excessive-permissions] name: Build and push main snapshot images strategy: matrix: @@ -16,21 +18,26 @@ jobs: platform: [linux] runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Fetch latest release version - uses: reloc8/action-latest-release-version@1.0.0 + uses: reloc8/action-latest-release-version@b8d6337f30390558e7874a044d6a3c1314314bab # 1.0.0 id: fetch-latest-release - - name: Set Env Tags - run: echo RELEASE_TAG=${{ steps.fetch-latest-release.outputs.latest-release }} >> $GITHUB_ENV - - name: set short sha - run: echo SHA_SHORT=$(git rev-parse --short HEAD) >> $GITHUB_ENV + + - name: Set release tag and short SHA + run: | + echo "RELEASE_TAG=${RELEASE_TAG}" >> "${GITHUB_ENV}" + echo "SHA_SHORT=$(git rev-parse --short HEAD)" >> "${GITHUB_ENV}" + env: + RELEASE_TAG: ${{ steps.fetch-latest-release.outputs.latest-release }} - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 - name: Build Image id: build-image - uses: redhat-actions/buildah-build@v2 + uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2.13 with: image: ${{ secrets.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }} tags: ${{ env.SHA_SHORT }}-${{ matrix.platform }}-${{ matrix.architecture }} @@ -44,7 +51,7 @@ jobs: - name: Run and Validate Image run: | - if ! podman run --rm ${IMAGE_WITH_TAG} version; then + if ! podman run --rm "${IMAGE_WITH_TAG}" version; then echo "Image validation failed. The 'podman run' command returned a non-zero exit code." exit 1 fi @@ -53,7 +60,7 @@ jobs: - name: Push Image id: push-image - uses: redhat-actions/push-to-registry@v2 + uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2.8 with: image: ${{ env.IMAGE_NAME }} tags: ${{ env.SHA_SHORT }}-${{ matrix.platform }}-${{ matrix.architecture }} @@ -62,22 +69,28 @@ jobs: password: ${{ secrets.REGISTRY_PASSWORD }} - name: Print image url - run: echo "Image pushed to ${{ steps.push-image.outputs.registry-paths }}" + run: echo "Image pushed to ${REGISTRY_PATHS}" + env: + REGISTRY_PATHS: ${{ steps.push-image.outputs.registry-paths }} outputs: imageName: ${{ env.IMAGE_NAME }} imageVersion: ${{ env.SHA_SHORT }} build-coverage: + # TODO: Set explicit permissions for this job. + # zizmor: ignore[excessive-permissions] runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Install system deps run: 'sudo apt update && sudo apt install -y libgpgme-dev libbtrfs-dev libdevmapper-dev' - name: Set up Go - uses: actions/setup-go@v6 + uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version-file: go.mod @@ -94,12 +107,14 @@ jobs: run: make cover - name: Coveralls - uses: coverallsapp/github-action@v2 + uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # v2.3.6 with: github-token: ${{ secrets.GITHUB_TOKEN }} file: coverage.out build-multiarch: + # TODO: Set explicit permissions for this job. + # zizmor: ignore[excessive-permissions] needs: build-main uses: ./.github/workflows/build-multiarch.yml with: diff --git a/.github/workflows/build-multiarch.yml b/.github/workflows/build-multiarch.yml index 7c538bca..a76961ae 100644 --- a/.github/workflows/build-multiarch.yml +++ b/.github/workflows/build-multiarch.yml @@ -55,7 +55,7 @@ jobs: # Authenticate to container image registry to push the image - name: Podman Login - uses: redhat-actions/podman-login@v1 + uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7 with: registry: ${{ secrets.registry }} username: ${{ secrets.user }} @@ -63,29 +63,41 @@ jobs: - name: Create and add to manifest run: | - buildah manifest create ${{ inputs.name }} - buildah manifest add ${{ inputs.name }} ${{ secrets.registry }}/${{ inputs.name }}:${{ inputs.tag }}-linux-amd64 - buildah manifest add ${{ inputs.name }} ${{ secrets.registry }}/${{ inputs.name }}:${{ inputs.tag }}-linux-ppc64le - buildah manifest add ${{ inputs.name }} ${{ secrets.registry }}/${{ inputs.name }}:${{ inputs.tag }}-linux-arm64 - buildah manifest add ${{ inputs.name }} ${{ secrets.registry }}/${{ inputs.name }}:${{ inputs.tag }}-linux-s390x + buildah manifest create "${INPUT_NAME}" + buildah manifest add "${INPUT_NAME}" "${{ secrets.registry }}/${INPUT_NAME}:${INPUT_TAG}-linux-amd64" + buildah manifest add "${INPUT_NAME}" "${{ secrets.registry }}/${INPUT_NAME}:${INPUT_TAG}-linux-ppc64le" + buildah manifest add "${INPUT_NAME}" "${{ secrets.registry }}/${INPUT_NAME}:${INPUT_TAG}-linux-arm64" + buildah manifest add "${INPUT_NAME}" "${{ secrets.registry }}/${INPUT_NAME}:${INPUT_TAG}-linux-s390x" + env: + INPUT_NAME: ${{ inputs.name }} + INPUT_TAG: ${{ inputs.tag }} - name: Push manifest id: push-manifest run: | - podman manifest push --digestfile imagedigest ${{ inputs.name }} ${{ secrets.registry }}/${{ inputs.name }}:${{ inputs.tag }} --all - echo "digest=$(cat imagedigest)" | tee -a $GITHUB_OUTPUT + podman manifest push --digestfile imagedigest "${INPUT_NAME}" "${{ secrets.registry }}/${INPUT_NAME}:${INPUT_TAG}" --all + echo "digest=$(cat imagedigest)" | tee -a "${GITHUB_OUTPUT}" + env: + INPUT_NAME: ${{ inputs.name }} + INPUT_TAG: ${{ inputs.tag }} - name: Sign the published manifest # only sign if release is published, not for ghactions branch push # which is used for testing and development. if: ${{ inputs.sign == true && github.event.release && github.event.action == 'published' }} run: | - cosign sign --yes --recursive ${{ secrets.registry }}/${{ inputs.name }}@${{ steps.push-manifest.outputs.digest }} + cosign sign --yes --recursive "${{ secrets.registry }}/${INPUT_NAME}@${DIGEST}" + env: + DIGEST: ${{ steps.push-manifest.outputs.digest }} + INPUT_NAME: ${{ inputs.name }} - name: Verify the image signature if: ${{ inputs.sign == true && github.event.release && github.event.action == 'published' }} run: | cosign verify \ - --certificate-identity https://github.com/${{ github.repository }}/.github/workflows/build-multiarch.yml@refs/tags/${{ inputs.tag }} \ + --certificate-identity "https://github.com/${{ github.repository }}/.github/workflows/build-multiarch.yml@refs/tags/${INPUT_TAG}" \ --certificate-oidc-issuer https://token.actions.githubusercontent.com \ - ${{ secrets.registry }}/${{ inputs.name }}:${{ inputs.tag }} + "${{ secrets.registry }}/${INPUT_NAME}:${INPUT_TAG}" + env: + INPUT_NAME: ${{ inputs.name }} + INPUT_TAG: ${{ inputs.tag }} diff --git a/.github/workflows/build-release.yml b/.github/workflows/build-release.yml index 5f490dae..fc974902 100644 --- a/.github/workflows/build-release.yml +++ b/.github/workflows/build-release.yml @@ -12,6 +12,8 @@ env: jobs: build-release: + # TODO: Set explicit permissions for this job. + # zizmor: ignore[excessive-permissions] name: Build and push tag images strategy: matrix: @@ -19,16 +21,19 @@ jobs: platform: [linux] runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + - name: Set Env Tags - run: echo RELEASE_TAG=$(echo $GITHUB_REF | cut -d '/' -f 3) >> $GITHUB_ENV + run: echo "RELEASE_TAG=$(echo "${GITHUB_REF}" | cut -d '/' -f 3)" >> "${GITHUB_ENV}" - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 - name: Build Image id: build-image - uses: redhat-actions/buildah-build@v2 + uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2.13 with: image: ${{ secrets.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }} tags: ${{ env.RELEASE_TAG }}-${{ matrix.platform }}-${{ matrix.architecture }} @@ -41,7 +46,7 @@ jobs: - name: Push Image id: push-image - uses: redhat-actions/push-to-registry@v2 + uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2.8 with: image: ${{ env.IMAGE_NAME }} tags: ${{ env.RELEASE_TAG }}-${{ matrix.platform }}-${{ matrix.architecture }} @@ -50,7 +55,9 @@ jobs: password: ${{ secrets.REGISTRY_PASSWORD }} - name: Print image url - run: echo "Image pushed to ${{ steps.push-image.outputs.registry-paths }}" + run: echo "Image pushed to ${REGISTRY_PATHS}" + env: + REGISTRY_PATHS: ${{ steps.push-image.outputs.registry-paths }} outputs: imageName: ${{ env.IMAGE_NAME }} @@ -78,6 +85,8 @@ jobs: token: ${{ secrets.GITHUB_TOKEN }} extract-assets: + # TODO: Set explicit permissions for this job. + # zizmor: ignore[excessive-permissions] needs: build-release uses: ./.github/workflows/release-artifacts.yml with: @@ -90,6 +99,8 @@ jobs: token: ${{ secrets.GITHUB_TOKEN }} add-release-info-to-pyxis: + # TODO: Set explicit permissions for this job. + # zizmor: ignore[excessive-permissions] needs: [build-release, extract-assets] uses: ./.github/workflows/add-release-info-to-pyxis.yml if: "!github.event.release.prerelease" @@ -103,6 +114,8 @@ jobs: certificatePassword: ${{ secrets.PREFLIGHT_RELEASE_PASSWORD }} copy-to-rhisv: + # TODO: Set explicit permissions for this job. + # zizmor: ignore[excessive-permissions] needs: [build-release, build-multiarch] uses: ./.github/workflows/copy-to-rhisv.yml with: diff --git a/.github/workflows/check-actions.yml b/.github/workflows/check-actions.yml new file mode 100644 index 00000000..26fc0731 --- /dev/null +++ b/.github/workflows/check-actions.yml @@ -0,0 +1,28 @@ +name: Analyze GitHub Actions security + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + +permissions: {} + +jobs: + check-actions: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + + - name: Run actionlint + uses: docker://rhysd/actionlint@sha256:96d4a8c87dbbfb3bdd324f8fdc285fc3df5261e2decc619a4dd7e8ee52bbfd46 # 1.7.8 + with: + args: -color + + - name: Run zizmor + uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0 + with: + advanced-security: false diff --git a/.github/workflows/code-review.yml b/.github/workflows/code-review.yml index 48269f89..9896508b 100644 --- a/.github/workflows/code-review.yml +++ b/.github/workflows/code-review.yml @@ -1,12 +1,18 @@ name: Gemini AI Code Review -on: +# pull_request_target is needed to access the Gemini key and modify (set/remove labels, comment on) +# the pull request. +on: # zizmor: ignore[dangerous-triggers] pull_request_target: types: [opened, synchronize, reopened, labeled] +# TODO: Assign permissions in individual jobs rather than at the +# workflow level to avoid blindly handing out `pull-requests: write` +# at the workflow level to all jobs (particularly if new jobs are +# added in this workflow in the future). permissions: contents: read - pull-requests: write + pull-requests: write # zizmor: ignore[excessive-permissions] concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }} @@ -21,26 +27,30 @@ jobs: pull-requests: write steps: - name: Checkout repository - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + - name: Handle review label id: prep env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} PR_NUMBER: ${{ github.event.pull_request.number }} + LABEL_JSON: ${{ toJSON(github.event.pull_request.labels.*.name) }} + EVENT_ACTION: ${{ github.event.action }} run: | - HAS_LABEL=$(echo '${{ toJSON(github.event.pull_request.labels.*.name) }}' | jq 'any(. == "gemini-review")') - EVENT_ACTION="${{ github.event.action }}" + HAS_LABEL=$(jq -n 'env.LABEL_JSON | fromjson | any(. == "gemini-review")') - if [[ "$HAS_LABEL" == "true" && "$EVENT_ACTION" != "labeled" ]]; then + if [[ "${HAS_LABEL}" == "true" && "${EVENT_ACTION}" != "labeled" ]]; then echo "gemini-review label found on a '${EVENT_ACTION}' event. Removing label and skipping review." - gh pr edit "$PR_NUMBER" --remove-label "gemini-review" - echo "should_run_review=false" >> $GITHUB_OUTPUT - elif [[ "$HAS_LABEL" == "true" ]]; then + gh pr edit "${PR_NUMBER}" --remove-label "gemini-review" + echo "should_run_review=false" >> "${GITHUB_OUTPUT}" + elif [[ "${HAS_LABEL}" == "true" ]]; then echo "gemini-review label found. Proceeding with review." - echo "should_run_review=true" >> $GITHUB_OUTPUT + echo "should_run_review=true" >> "${GITHUB_OUTPUT}" else echo "gemini-review label not found. Skipping review." - echo "should_run_review=false" >> $GITHUB_OUTPUT + echo "should_run_review=false" >> "${GITHUB_OUTPUT}" fi gemini-code-review: @@ -49,13 +59,14 @@ jobs: if: needs.handle-label.outputs.should_run_review == 'true' steps: - name: Checkout repository - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: ref: refs/pull/${{ github.event.pull_request.number }}/merge + persist-credentials: false fetch-depth: 0 - name: Gemini AI Code Review - uses: sshnaidm/gemini-code-review-action@d4ccdaf0e2cad5cb79f80f6db07857c0e7fff28f + uses: sshnaidm/gemini-code-review-action@d4ccdaf0e2cad5cb79f80f6db07857c0e7fff28f # v1 with: gemini-key: ${{ secrets.GEMINI_API_KEY }} model: 'gemini-2.5-flash' diff --git a/.github/workflows/copy-to-rhisv.yml b/.github/workflows/copy-to-rhisv.yml index 06129e7f..f9059e98 100644 --- a/.github/workflows/copy-to-rhisv.yml +++ b/.github/workflows/copy-to-rhisv.yml @@ -28,9 +28,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Podman Login - uses: redhat-actions/podman-login@v1 + uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7 with: - registry: ${{ secrets.destImageRegistry }} + registry: ${DEST_IMAGE_REGISTRY} username: ${{ secrets.destRegistryUser }} password: ${{ secrets.destRegistryPassword }} @@ -38,8 +38,14 @@ jobs: id: skopeo-copy-image run: | skopeo -v - skopeo copy --all --preserve-digests docker://${{ secrets.sourceImageRegistry }}/${{ inputs.sourceImageName }}:${{ inputs.sourceImageTag }}-linux-amd64 docker://${{ secrets.destImageRegistry }}/${{ inputs.destImageName }}:${{ inputs.sourceImageTag }}-linux-amd64 - skopeo copy --all --preserve-digests docker://${{ secrets.sourceImageRegistry }}/${{ inputs.sourceImageName }}:${{ inputs.sourceImageTag }}-linux-ppc64le docker://${{ secrets.destImageRegistry }}/${{ inputs.destImageName }}:${{ inputs.sourceImageTag }}-linux-ppc64le - skopeo copy --all --preserve-digests docker://${{ secrets.sourceImageRegistry }}/${{ inputs.sourceImageName }}:${{ inputs.sourceImageTag }}-linux-arm64 docker://${{ secrets.destImageRegistry }}/${{ inputs.destImageName }}:${{ inputs.sourceImageTag }}-linux-arm64 - skopeo copy --all --preserve-digests docker://${{ secrets.sourceImageRegistry }}/${{ inputs.sourceImageName }}:${{ inputs.sourceImageTag }}-linux-s390x docker://${{ secrets.destImageRegistry }}/${{ inputs.destImageName }}:${{ inputs.sourceImageTag }}-linux-s390x - skopeo copy --all --preserve-digests docker://${{ secrets.sourceImageRegistry }}/${{ inputs.sourceImageName }}:${{ inputs.sourceImageTag }} docker://${{ secrets.destImageRegistry }}/${{ inputs.destImageName }}:${{ inputs.sourceImageTag }} + skopeo copy --all --preserve-digests "docker://${SOURCE_IMAGE_REGISTRY}/${SOURCE_IMAGE_NAME}:${SOURCE_IMAGE_TAG}-linux-amd64" "docker://${DEST_IMAGE_REGISTRY}/${DEST_IMAGE_NAME}:${SOURCE_IMAGE_TAG}-linux-amd64" + skopeo copy --all --preserve-digests "docker://${SOURCE_IMAGE_REGISTRY}/${SOURCE_IMAGE_NAME}:${SOURCE_IMAGE_TAG}-linux-ppc64le" "docker://${DEST_IMAGE_REGISTRY}/${DEST_IMAGE_NAME}:${SOURCE_IMAGE_TAG}-linux-ppc64le" + skopeo copy --all --preserve-digests "docker://${SOURCE_IMAGE_REGISTRY}/${SOURCE_IMAGE_NAME}:${SOURCE_IMAGE_TAG}-linux-arm64" "docker://${DEST_IMAGE_REGISTRY}/${DEST_IMAGE_NAME}:${SOURCE_IMAGE_TAG}-linux-arm64" + skopeo copy --all --preserve-digests "docker://${SOURCE_IMAGE_REGISTRY}/${SOURCE_IMAGE_NAME}:${SOURCE_IMAGE_TAG}-linux-s390x" "docker://${DEST_IMAGE_REGISTRY}/${DEST_IMAGE_NAME}:${SOURCE_IMAGE_TAG}-linux-s390x" + skopeo copy --all --preserve-digests "docker://${SOURCE_IMAGE_REGISTRY}/${SOURCE_IMAGE_NAME}:${SOURCE_IMAGE_TAG}" "docker://${DEST_IMAGE_REGISTRY}/${DEST_IMAGE_NAME}:${SOURCE_IMAGE_TAG}" + env: + SOURCE_IMAGE_REGISTRY: ${{ secrets.sourceImageRegistry }} + SOURCE_IMAGE_NAME: ${{ inputs.sourceImageName }} + SOURCE_IMAGE_TAG: ${{ inputs.sourceImageTag }} + DEST_IMAGE_REGISTRY: ${{ secrets.destImageRegistry }} + DEST_IMAGE_NAME: ${{ inputs.destImageName }} diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index 1015d775..5df61e13 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -8,15 +8,19 @@ on: jobs: build: + # TODO: Set explicit permissions for this job. + # zizmor: ignore[excessive-permissions] runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Install system deps run: 'sudo apt update && sudo apt install -y libgpgme-dev libbtrfs-dev libdevmapper-dev' - name: Set up Go - uses: actions/setup-go@v6 + uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version-file: go.mod @@ -36,7 +40,7 @@ jobs: run: make cover - name: Coveralls - uses: coverallsapp/github-action@v2 + uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # v2.3.6 with: github-token: ${{ secrets.GITHUB_TOKEN }} file: coverage.out diff --git a/.github/workflows/release-artifacts.yml b/.github/workflows/release-artifacts.yml index 5c43a6ce..02601100 100644 --- a/.github/workflows/release-artifacts.yml +++ b/.github/workflows/release-artifacts.yml @@ -33,14 +33,14 @@ jobs: - s390x steps: - name: Docker Login - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: registry: ${{ secrets.registry }} username: ${{ secrets.user }} password: ${{ secrets.password }} - name: Extract executable - uses: shrink/actions-docker-extract@v3 + uses: shrink/actions-docker-extract@04c17c51a5b9fd93b7aed2e05e86c8fe2d90ee52 # v3.1.0 id: extract with: image: ${{ secrets.registry }}/${{ inputs.name }}:${{ inputs.tag }}-${{ matrix.platform }}-${{ matrix.architecture }} @@ -62,14 +62,17 @@ jobs: name: Release binaries for MacOS runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + - name: Set Env Tags - run: echo RELEASE_TAG=$(echo $GITHUB_REF | cut -d '/' -f 3) >> $GITHUB_ENV + run: echo "RELEASE_TAG=$(echo "${GITHUB_REF}" | cut -d '/' -f 3)" >> "${GITHUB_ENV}" - name: Install system deps run: 'sudo apt update && sudo apt install -y libgpgme-dev libbtrfs-dev libdevmapper-dev' - name: Set up Go - uses: actions/setup-go@v6 + uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version-file: go.mod - name: Build Multi-arch-mac