Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Setup scorecard workflow #8127

Closed
wants to merge 1 commit into from
Closed

Conversation

mmorel-35
Copy link
Contributor

@mmorel-35 mmorel-35 commented Aug 19, 2024

Apply security best practices

Thank you for contributing to Velero!

Please add a summary of your change

Setup scorecard workflow ans follow their recommations concerning (with the help of https://app.stepsecurity.io/secureworkflow)

  • pining versions of actions
  • define permission for workflows
  • setup dependabot for Dockerfiles

Does your change fix a particular issue?

Fixes #(issue)

Please indicate you've done the following:

  • Accepted the DCO. Commits without the DCO will delay acceptance.
  • Created a changelog file or added /kind changelog-not-required as a comment on this pull request.
  • Updated the corresponding documentation in site/content/docs/main.

@github-actions github-actions bot added the Website non-docs changes for the website label Aug 19, 2024
@mmorel-35
Copy link
Contributor Author

/kind changelog-not-required

@github-actions github-actions bot added the kind/changelog-not-required PR does not require a user changelog. Often for docs, website, or build changes label Aug 19, 2024
Copy link

codecov bot commented Aug 19, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 59.01%. Comparing base (a6c5433) to head (5a3bc58).
Report is 98 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #8127      +/-   ##
==========================================
- Coverage   59.02%   59.01%   -0.01%     
==========================================
  Files         364      364              
  Lines       30272    30270       -2     
==========================================
- Hits        17867    17864       -3     
- Misses      10959    10960       +1     
  Partials     1446     1446              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

jobs:
# Build the Velero CLI and image once for all Kubernetes versions, and cache it so the fan-out workers can get it.
build:
runs-on: ubuntu-latest
steps:
- name: Check out the code
uses: actions/checkout@v4
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

usually @ v4 should auto upgrade to latest. Is the # v4.1.7 here a manual comment? or something generated?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes the V4 auto upgrade to the latest and that's what is identify as a vulnerability.
The # v4.1.7 is a comment that will be updated by dependabot when it creates it's upgrade PR

@blackpiglet blackpiglet added kind/changelog-not-required PR does not require a user changelog. Often for docs, website, or build changes and removed kind/changelog-not-required PR does not require a user changelog. Often for docs, website, or build changes labels Aug 20, 2024
Apply security best practices

Signed-off-by: Matthieu MOREL <[email protected]>
@mmorel-35 mmorel-35 closed this by deleting the head repository Sep 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/changelog-not-required PR does not require a user changelog. Often for docs, website, or build changes Website non-docs changes for the website
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants