From 5a3bc5851110d2271ae5de1f26d2659ac7e86a8b Mon Sep 17 00:00:00 2001 From: Matthieu MOREL Date: Mon, 19 Aug 2024 22:45:28 +0200 Subject: [PATCH] Setup scorecard workflow Apply security best practices Signed-off-by: Matthieu MOREL --- .github/dependabot.yml | 27 +++++++++++ .github/workflows/auto_assign_prs.yml | 8 +++- .github/workflows/auto_label_prs.yml | 8 +++- .github/workflows/auto_request_review.yml | 2 +- .github/workflows/crds-verify-kind.yaml | 13 ++++-- .github/workflows/e2e-test-kind.yaml | 23 +++++---- .github/workflows/nightly-trivy-scan.yml | 9 ++-- .github/workflows/pr-changelog-check.yml | 5 +- .github/workflows/pr-ci-check.yml | 9 ++-- .github/workflows/pr-codespell.yml | 7 ++- .github/workflows/pr-containers.yml | 9 ++-- .github/workflows/pr-goreleaser.yml | 2 +- .github/workflows/pr-linter-check.yml | 12 +++-- .github/workflows/prow-action.yml | 2 +- .github/workflows/push-builder.yml | 5 +- .github/workflows/push.yml | 19 ++++---- .github/workflows/rebase.yml | 10 +++- .github/workflows/scorecard.yml | 57 +++++++++++++++++++++++ .github/workflows/stale-issues.yml | 8 +++- Dockerfile | 6 +-- hack/build-image/Dockerfile | 2 +- site/Dockerfile | 2 +- 22 files changed, 193 insertions(+), 52 deletions(-) create mode 100644 .github/workflows/scorecard.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 45332806b9..2dbdc5fc17 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -19,3 +19,30 @@ updates: ignore: - dependency-name: "*" update-types: ["version-update:semver-major", "version-update:semver-minor", "version-update:semver-patch"] + + - package-ecosystem: docker + directory: / + schedule: + interval: "weekly" + labels: + - "Dependencies" + - "docker" + - "kind/changelog-not-required" + + - package-ecosystem: docker + directory: /hack/build-image + schedule: + interval: "weekly" + labels: + - "Dependencies" + - "docker" + - "kind/changelog-not-required" + + - package-ecosystem: docker + directory: /site + schedule: + interval: "weekly" + labels: + - "Dependencies" + - "docker" + - "kind/changelog-not-required" diff --git a/.github/workflows/auto_assign_prs.yml b/.github/workflows/auto_assign_prs.yml index d827b697ad..b767d01390 100644 --- a/.github/workflows/auto_assign_prs.yml +++ b/.github/workflows/auto_assign_prs.yml @@ -7,13 +7,19 @@ on: pull_request_target: types: [opened, reopened, ready_for_review] +permissions: + contents: read + jobs: # Automatically assigns reviewers and owner add-reviews: + permissions: + contents: read # for kentaro-m/auto-assign-action to fetch config file + pull-requests: write # for kentaro-m/auto-assign-action to assign PR reviewers runs-on: ubuntu-latest steps: - name: Set the author of a PR as the assignee - uses: kentaro-m/auto-assign-action@v2.0.0 + uses: kentaro-m/auto-assign-action@f4648c0a9fdb753479e9e75fc251f507ce17bb7e # v2.0.0 with: configuration-path: ".github/auto-assignees.yml" repo-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/auto_label_prs.yml b/.github/workflows/auto_label_prs.yml index a5d912af8d..daf704c976 100644 --- a/.github/workflows/auto_label_prs.yml +++ b/.github/workflows/auto_label_prs.yml @@ -8,12 +8,18 @@ on: pull_request_target: types: [opened, reopened, synchronize, ready_for_review] +permissions: + contents: read + jobs: # Automatically labels PRs based on file globs in the change. triage: + permissions: + contents: read # for actions/labeler to determine modified files + pull-requests: write # for actions/labeler to add labels to PRs runs-on: ubuntu-latest steps: - - uses: actions/labeler@v5 + - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" configuration-path: .github/labeler.yml diff --git a/.github/workflows/auto_request_review.yml b/.github/workflows/auto_request_review.yml index 83e7032ab2..d9b3aeaebe 100644 --- a/.github/workflows/auto_request_review.yml +++ b/.github/workflows/auto_request_review.yml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Request a PR review based on files types/paths, and/or groups the author belongs to - uses: necojackarc/auto-request-review@v0.13.0 + uses: necojackarc/auto-request-review@e89da1a8cd7c8c16d9de9c6e763290b6b0e3d424 # v0.13.0 with: token: ${{ secrets.GITHUB_TOKEN }} config: .github/auto-assignees.yml diff --git a/.github/workflows/crds-verify-kind.yaml b/.github/workflows/crds-verify-kind.yaml index 3d51599e85..fc2dc806f0 100644 --- a/.github/workflows/crds-verify-kind.yaml +++ b/.github/workflows/crds-verify-kind.yaml @@ -6,21 +6,24 @@ on: - "site/**" - "design/**" +permissions: + contents: read + jobs: # Build the Velero CLI once for all Kubernetes versions, and cache it so the fan-out workers can get it. build-cli: runs-on: ubuntu-latest steps: - name: Check out the code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version-file: 'go.mod' # Look for a CLI that's made for this PR - name: Fetch built CLI id: cache - uses: actions/cache@v4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 env: cache-name: cache-velero-cli with: @@ -55,7 +58,7 @@ jobs: steps: - name: Fetch built CLI id: cache - uses: actions/cache@v4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 env: cache-name: cache-velero-cli with: @@ -65,7 +68,7 @@ jobs: # This key controls the prefixes that we'll look at in the cache to restore from restore-keys: | velero-${{ github.event.pull_request.number }}- - - uses: engineerd/setup-kind@v0.5.0 + - uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 # v0.5.0 with: version: "v0.21.0" image: "kindest/node:v${{ matrix.k8s }}" diff --git a/.github/workflows/e2e-test-kind.yaml b/.github/workflows/e2e-test-kind.yaml index 538ddbddc0..803968bdf4 100644 --- a/.github/workflows/e2e-test-kind.yaml +++ b/.github/workflows/e2e-test-kind.yaml @@ -6,28 +6,31 @@ on: paths-ignore: - "site/**" - "design/**" +permissions: + contents: read + jobs: # Build the Velero CLI and image once for all Kubernetes versions, and cache it so the fan-out workers can get it. build: runs-on: ubuntu-latest steps: - name: Check out the code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version-file: 'go.mod' # Look for a CLI that's made for this PR - name: Fetch built CLI id: cli-cache - uses: actions/cache@v4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: ./_output/bin/linux/amd64/velero # The cache key a combination of the current PR number and the commit SHA key: velero-cli-${{ github.event.pull_request.number }}-${{ github.sha }} - name: Fetch built image id: image-cache - uses: actions/cache@v4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: ./velero.tar # The cache key a combination of the current PR number and the commit SHA @@ -66,27 +69,27 @@ jobs: fail-fast: false steps: - name: Check out the code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version-file: 'go.mod' - name: Install MinIO run: docker run -d --rm -p 9000:9000 -e "MINIO_ACCESS_KEY=minio" -e "MINIO_SECRET_KEY=minio123" -e "MINIO_DEFAULT_BUCKETS=bucket,additional-bucket" bitnami/minio:2021.6.17-debian-10-r7 - - uses: engineerd/setup-kind@v0.5.0 + - uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 # v0.5.0 with: version: "v0.21.0" image: "kindest/node:v${{ matrix.k8s }}" - name: Fetch built CLI id: cli-cache - uses: actions/cache@v4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: ./_output/bin/linux/amd64/velero key: velero-cli-${{ github.event.pull_request.number }}-${{ github.sha }} - name: Fetch built Image id: image-cache - uses: actions/cache@v4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: ./velero.tar key: velero-image-${{ github.event.pull_request.number }}-${{ github.sha }} @@ -121,7 +124,7 @@ jobs: timeout-minutes: 30 - name: Upload debug bundle if: ${{ failure() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 with: name: DebugBundle path: /home/runner/work/velero/velero/test/e2e/debug-bundle* diff --git a/.github/workflows/nightly-trivy-scan.yml b/.github/workflows/nightly-trivy-scan.yml index acf42dc803..85b96ad10c 100644 --- a/.github/workflows/nightly-trivy-scan.yml +++ b/.github/workflows/nightly-trivy-scan.yml @@ -3,6 +3,9 @@ on: schedule: - cron: '0 2 * * *' # run at 2 AM UTC +permissions: + contents: read + jobs: nightly-scan: name: Trivy nightly scan @@ -19,10 +22,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@d9cd5b1c23aaf8cb31bb09141028215828364bbb # master with: image-ref: 'docker.io/velero/${{ matrix.images }}:${{ matrix.versions }}' severity: 'CRITICAL,HIGH,MEDIUM' @@ -31,6 +34,6 @@ jobs: output: 'trivy-results.sarif' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@883d8588e56d1753a8a58c1c86e88976f0c23449 # v3.26.3 with: sarif_file: 'trivy-results.sarif' \ No newline at end of file diff --git a/.github/workflows/pr-changelog-check.yml b/.github/workflows/pr-changelog-check.yml index 96052fc2d6..62ed213fd0 100644 --- a/.github/workflows/pr-changelog-check.yml +++ b/.github/workflows/pr-changelog-check.yml @@ -4,6 +4,9 @@ name: Pull Request Changelog Check on: pull_request: types: [opened, synchronize, reopened, labeled, unlabeled] +permissions: + contents: read + jobs: build: @@ -12,7 +15,7 @@ jobs: steps: - name: Check out the code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Changelog check if: ${{ !(contains(github.event.pull_request.labels.*.name, 'kind/changelog-not-required') || contains(github.event.pull_request.labels.*.name, 'Design') || contains(github.event.pull_request.labels.*.name, 'Website') || contains(github.event.pull_request.labels.*.name, 'Documentation'))}} diff --git a/.github/workflows/pr-ci-check.yml b/.github/workflows/pr-ci-check.yml index 4bcc28cee1..60458b7e9d 100644 --- a/.github/workflows/pr-ci-check.yml +++ b/.github/workflows/pr-ci-check.yml @@ -1,5 +1,8 @@ name: Pull Request CI Check on: [pull_request] +permissions: + contents: read + jobs: build: name: Run CI @@ -8,15 +11,15 @@ jobs: fail-fast: false steps: - name: Check out the code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version-file: 'go.mod' - name: Make ci run: make ci - name: Upload test coverage - uses: codecov/codecov-action@v4 + uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0 with: token: ${{ secrets.CODECOV_TOKEN }} files: coverage.out diff --git a/.github/workflows/pr-codespell.yml b/.github/workflows/pr-codespell.yml index 0d3138e403..d5532f039e 100644 --- a/.github/workflows/pr-codespell.yml +++ b/.github/workflows/pr-codespell.yml @@ -1,5 +1,8 @@ name: Pull Request Codespell Check on: [pull_request] +permissions: + contents: read + jobs: codespell: @@ -8,10 +11,10 @@ jobs: steps: - name: Check out the code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Codespell - uses: codespell-project/actions-codespell@master + uses: codespell-project/actions-codespell@406322ec52dd7b488e48c1c4b82e2a8b3a1bf630 # master with: # ignore the config/.../crd.go file as it's generated binary data that is edited elswhere. skip: .git,*.png,*.jpg,*.woff,*.ttf,*.gif,*.ico,./config/crd/v1beta1/crds/crds.go,./config/crd/v1/crds/crds.go,./config/crd/v2alpha1/crds/crds.go,./go.sum,./LICENSE diff --git a/.github/workflows/pr-containers.yml b/.github/workflows/pr-containers.yml index 345f24362b..1cdc101799 100644 --- a/.github/workflows/pr-containers.yml +++ b/.github/workflows/pr-containers.yml @@ -8,23 +8,26 @@ on: paths: - 'Dockerfile' +permissions: + contents: read + jobs: build: name: Build runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 name: Checkout - name: Set up QEMU id: qemu - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 with: platforms: all - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 with: version: latest diff --git a/.github/workflows/pr-goreleaser.yml b/.github/workflows/pr-goreleaser.yml index aed88ab14a..6c3684182a 100644 --- a/.github/workflows/pr-goreleaser.yml +++ b/.github/workflows/pr-goreleaser.yml @@ -14,7 +14,7 @@ jobs: name: Build runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 name: Checkout - name: Verify .goreleaser.yml and try a dryrun release. diff --git a/.github/workflows/pr-linter-check.yml b/.github/workflows/pr-linter-check.yml index 429b7b169e..9e1440f794 100644 --- a/.github/workflows/pr-linter-check.yml +++ b/.github/workflows/pr-linter-check.yml @@ -1,19 +1,25 @@ name: Pull Request Linter Check on: [pull_request] +permissions: + contents: read + jobs: build: + permissions: + contents: read # for actions/checkout to fetch code + pull-requests: read # for golangci/golangci-lint-action to fetch pull requests name: Run Linter Check runs-on: ubuntu-latest steps: - name: Check out the code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version-file: 'go.mod' - name: Linter check - uses: golangci/golangci-lint-action@v6 + uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0 with: version: v1.57.2 args: --verbose diff --git a/.github/workflows/prow-action.yml b/.github/workflows/prow-action.yml index a38953ed89..c5ae6f6c6a 100644 --- a/.github/workflows/prow-action.yml +++ b/.github/workflows/prow-action.yml @@ -9,7 +9,7 @@ jobs: execute: runs-on: ubuntu-latest steps: - - uses: jpmcb/prow-github-actions@v1.1.3 + - uses: jpmcb/prow-github-actions@f4d01dd4b13f289014c23fe5a19878a2479cb35b # v1.1.3 with: # TODO: before allowing the /lgtm command, see if we can block merging if changelog labels are missing. prow-commands: | diff --git a/.github/workflows/push-builder.yml b/.github/workflows/push-builder.yml index d4461bbdde..1f2de4a2b8 100644 --- a/.github/workflows/push-builder.yml +++ b/.github/workflows/push-builder.yml @@ -6,13 +6,16 @@ on: paths: - 'hack/build-image/Dockerfile' +permissions: + contents: read + jobs: build: name: Build runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: # The default value is "1" which fetches only a single commit. If we merge PR without squash or rebase, # there are at least two commits: the first one is the merge commit and the second one is the real commit diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index bbc1f16ea9..f705385b8d 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -8,6 +8,9 @@ on: tags: - '*' +permissions: + contents: read + jobs: build: @@ -15,9 +18,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out the code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version-file: 'go.mod' # Fix issue of setup-gcloud @@ -25,22 +28,22 @@ jobs: sudo apt-get install python2.7 export CLOUDSDK_PYTHON="/usr/bin/python2" - id: 'auth' - uses: google-github-actions/auth@v2 + uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 with: credentials_json: '${{ secrets.GCS_SA_KEY }}' - name: 'set up GCloud SDK' - uses: google-github-actions/setup-gcloud@v2 + uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1 - name: 'use gcloud CLI' run: | gcloud info - name: Set up QEMU id: qemu - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 with: platforms: all - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 with: version: latest - name: Build @@ -51,13 +54,13 @@ jobs: - name: Test run: make test - name: Upload test coverage - uses: codecov/codecov-action@v4 + uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0 with: token: ${{ secrets.CODECOV_TOKEN }} files: coverage.out verbose: true # Use the JSON key in secret to login gcr.io - - uses: 'docker/login-action@v3' + - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: 'gcr.io' # or REGION.docker.pkg.dev username: '_json_key' diff --git a/.github/workflows/rebase.yml b/.github/workflows/rebase.yml index 7a538a1147..0ada46b3db 100644 --- a/.github/workflows/rebase.yml +++ b/.github/workflows/rebase.yml @@ -2,17 +2,23 @@ on: issue_comment: types: [created] name: Automatic Rebase +permissions: + contents: read + jobs: rebase: + permissions: + contents: write # for cirrus-actions/rebase to push code to rebase + pull-requests: read # for cirrus-actions/rebase to get info about PR name: Rebase if: github.event.issue.pull_request != '' && contains(github.event.comment.body, '/rebase') runs-on: ubuntu-latest steps: - name: Checkout the latest code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 0 - name: Automatic Rebase - uses: cirrus-actions/rebase@1.8 + uses: cirrus-actions/rebase@b87d48154a87a85666003575337e27b8cd65f691 # 1.8 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 0000000000..a03c2384ef --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,57 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '45 12 * * 2' + push: + branches: [ "main" ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + + steps: + - name: "Checkout code" + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard (optional). + # Commenting out will disable upload of results to your repo's Code Scanning dashboard + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@883d8588e56d1753a8a58c1c86e88976f0c23449 # v3.26.3 + with: + sarif_file: results.sarif diff --git a/.github/workflows/stale-issues.yml b/.github/workflows/stale-issues.yml index 7b29970fce..f84f43c9a3 100644 --- a/.github/workflows/stale-issues.yml +++ b/.github/workflows/stale-issues.yml @@ -3,11 +3,17 @@ on: schedule: - cron: "30 1 * * *" # Every day at 1:30 UTC +permissions: + contents: read + jobs: stale: + permissions: + issues: write # for actions/stale to close stale issues + pull-requests: write # for actions/stale to close stale PRs runs-on: ubuntu-latest steps: - - uses: actions/stale@v9.0.0 + - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} stale-issue-message: "This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days. If a Velero team member has requested log or more information, please provide the output of the shared commands." diff --git a/Dockerfile b/Dockerfile index 2c70dd4562..a7a74e7774 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,7 +13,7 @@ # limitations under the License. # Velero binary build section -FROM --platform=$BUILDPLATFORM golang:1.22-bookworm AS velero-builder +FROM --platform=$BUILDPLATFORM golang:1.22-bookworm@sha256:f020456572fc292e9627b3fb435c6de5dfb8020fbcef1fd7b65dd092c0ac56bb AS velero-builder ARG GOPROXY ARG BIN @@ -47,7 +47,7 @@ RUN mkdir -p /output/usr/bin && \ go clean -modcache -cache # Restic binary build section -FROM --platform=$BUILDPLATFORM golang:1.22-bookworm AS restic-builder +FROM --platform=$BUILDPLATFORM golang:1.22-bookworm@sha256:f020456572fc292e9627b3fb435c6de5dfb8020fbcef1fd7b65dd092c0ac56bb AS restic-builder ARG BIN ARG TARGETOS @@ -70,7 +70,7 @@ RUN mkdir -p /output/usr/bin && \ go clean -modcache -cache # Velero image packing section -FROM paketobuildpacks/run-jammy-tiny:latest +FROM paketobuildpacks/run-jammy-tiny:latest@sha256:0db51d00786437d728ec5d17ffdb8c0149be4ba29ade4e844b747db8494a71b9 LABEL maintainer="Xun Jiang " diff --git a/hack/build-image/Dockerfile b/hack/build-image/Dockerfile index fb72a5290c..6b765df187 100644 --- a/hack/build-image/Dockerfile +++ b/hack/build-image/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM --platform=$TARGETPLATFORM golang:1.22-bookworm +FROM --platform=$TARGETPLATFORM golang:1.22-bookworm@sha256:f020456572fc292e9627b3fb435c6de5dfb8020fbcef1fd7b65dd092c0ac56bb ARG GOPROXY diff --git a/site/Dockerfile b/site/Dockerfile index b39592c5e9..f10cff467f 100644 --- a/site/Dockerfile +++ b/site/Dockerfile @@ -1,4 +1,4 @@ -FROM klakegg/hugo:0.73.0-ext-ubuntu +FROM klakegg/hugo:0.73.0-ext-ubuntu@sha256:bc1a00d1bc78738250923b97111bf21d135a48b96fab3c21c818842158a19abb WORKDIR /srv/hugo