diff --git a/.github/actionlint.yaml b/.github/actionlint.yaml index 6742e5c..4686d09 100644 --- a/.github/actionlint.yaml +++ b/.github/actionlint.yaml @@ -6,13 +6,9 @@ self-hosted-runner: # Labels of self-hosted runner in array of strings. # Add other runners if needed labels: - # container runners - - oracle-2cpu-8gb-arm64 - - oracle-2cpu-8gb-x86_64 - # VM runners - - oracle-vm-2cpu-8gb-x86-64 - - oracle-vm-2cpu-8gb-arm64 - - oracle-vm-4cpu-16gb-x86-64 - - oracle-vm-4cpu-16gb-arm64 - - oracle-vm-8cpu-32gb-x86-64 - - oracle-vm-8cpu-32gb-arm64 + - cncf-ubuntu-2-8-x86 + - cncf-ubuntu-4-16-x86 + - cncf-ubuntu-8-32-x86 + - cncf-ubuntu-2-8-arm + - cncf-ubuntu-4-16-arm + - cncf-ubuntu-8-32-arm \ No newline at end of file diff --git a/.github/actions/build/build-binaries/action.yml b/.github/actions/build/build-binaries/action.yml index 38e4fe4..c6bd45e 100644 --- a/.github/actions/build/build-binaries/action.yml +++ b/.github/actions/build/build-binaries/action.yml @@ -25,7 +25,7 @@ runs: # Common build steps ############################################################# - name: Restore Maven cache - uses: actions/cache/restore@v5 + uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ~/.m2/repository key: maven-${{ hashFiles('**/pom.xml') }} @@ -111,7 +111,7 @@ runs: - name: Save Maven cache # Save maven cache only after pushes into default branch if: ${{ inputs.mainJavaBuild == 'true' && github.event_name == 'push' && github.ref_name == github.event.repository.default_branch }} - uses: actions/cache/save@v5 + uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ~/.m2/repository key: maven-${{ hashFiles('**/pom.xml') }} @@ -138,14 +138,14 @@ runs: - name: Upload artifact if: ${{ inputs.mainJavaBuild == 'true' }} - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: binaries-${{ inputs.artifactSuffix }}.tar path: binaries-${{ inputs.artifactSuffix }}.tar retention-days: 7 - name: Publish test results - uses: dorny/test-reporter@v3 + uses: dorny/test-reporter@a43b3a5f7366b97d083190328d2c652e1a8b6aa2 # v3.0.0 if: always() && inputs.clusterOperatorBuild != 'true' with: name: 'Unit & Integration tests' diff --git a/.github/actions/build/build-containers/action.yml b/.github/actions/build/build-containers/action.yml index e32eb00..ee3d80a 100644 --- a/.github/actions/build/build-containers/action.yml +++ b/.github/actions/build/build-containers/action.yml @@ -34,13 +34,13 @@ runs: steps: - name: Download binaries from this workflow if: ${{ inputs.buildRunId == '' }} - uses: actions/download-artifact@v7 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: binaries-${{ inputs.artifactSuffix }}.tar - name: Download binaries from external build if: ${{ inputs.buildRunId != '' }} - uses: actions/download-artifact@v7 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: binaries-${{ inputs.artifactSuffix }}.tar run-id: ${{ inputs.buildRunId }} @@ -67,7 +67,7 @@ runs: run: "tar -cvpf containers-${{ inputs.artifactSuffix }}-${{ inputs.architecture }}.tar ${{ inputs.imagesLocation }}" - name: Upload containers artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: containers-${{ inputs.artifactSuffix }}-${{ inputs.architecture }}.tar path: containers-${{ inputs.artifactSuffix }}-${{ inputs.architecture }}.tar diff --git a/.github/actions/build/deploy-java/action.yml b/.github/actions/build/deploy-java/action.yml index 94e81bd..9334ba6 100644 --- a/.github/actions/build/deploy-java/action.yml +++ b/.github/actions/build/deploy-java/action.yml @@ -22,7 +22,7 @@ runs: using: "composite" steps: - name: Restore Maven cache - uses: actions/cache/restore@v5 + uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ~/.m2/repository key: maven-${{ hashFiles('**/pom.xml') }} diff --git a/.github/actions/build/publish-helm-chart/action.yml b/.github/actions/build/publish-helm-chart/action.yml index e1b678b..5085265 100644 --- a/.github/actions/build/publish-helm-chart/action.yml +++ b/.github/actions/build/publish-helm-chart/action.yml @@ -30,7 +30,7 @@ runs: using: "composite" steps: - name: Download release artifacts - uses: actions/download-artifact@v7 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: release-${{ inputs.artifactSuffix }}-${{ inputs.releaseVersion }}.tar path: ./ diff --git a/.github/actions/build/push-containers/action.yml b/.github/actions/build/push-containers/action.yml index cb6d1b3..1d47db1 100644 --- a/.github/actions/build/push-containers/action.yml +++ b/.github/actions/build/push-containers/action.yml @@ -35,11 +35,11 @@ runs: using: "composite" steps: - name: Install Cosign - uses: sigstore/cosign-installer@v4.0.0 + uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 - name: Download container artifact if: ${{ inputs.buildRunId != '' }} - uses: actions/download-artifact@v7 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: pattern: containers-${{ inputs.artifactSuffix }}* path: ./ @@ -49,7 +49,7 @@ runs: - name: Download container artifact if: ${{ inputs.buildRunId == '' }} - uses: actions/download-artifact@v7 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: pattern: containers-${{ inputs.artifactSuffix }}* path: ./ @@ -144,7 +144,7 @@ runs: # The keyless signing doesn't work on pull_requests events so this part will be tested only during push events # It shouldn't affect the usage in Strimzi projects as images are always pushed and signed during push or workflow_dispatch events if: ${{ github.event_name != 'pull_request' }} - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: SBOMs-${{ inputs.artifactSuffix }}-${{ inputs.containerTag }}.tar.gz path: sbom.tar.gz diff --git a/.github/actions/build/release-artifacts/action.yml b/.github/actions/build/release-artifacts/action.yml index be5b469..bad0488 100644 --- a/.github/actions/build/release-artifacts/action.yml +++ b/.github/actions/build/release-artifacts/action.yml @@ -13,7 +13,7 @@ runs: using: "composite" steps: - name: Restore Maven cache - uses: actions/cache/restore@v5 + uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ~/.m2/repository key: maven-${{ hashFiles('**/pom.xml') }} @@ -37,7 +37,7 @@ runs: -exec tar -rvf release-${{ inputs.artifactSuffix }}-${{ inputs.releaseVersion }}.tar {} \; - name: Upload release artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: release-${{ inputs.artifactSuffix }}-${{ inputs.releaseVersion }}.tar path: release-${{ inputs.artifactSuffix }}-${{ inputs.releaseVersion }}.tar diff --git a/.github/actions/dependencies/install-ascii-doctor/action.yml b/.github/actions/dependencies/install-ascii-doctor/action.yml index 2655cbf..6401c58 100644 --- a/.github/actions/dependencies/install-ascii-doctor/action.yml +++ b/.github/actions/dependencies/install-ascii-doctor/action.yml @@ -11,7 +11,7 @@ runs: using: "composite" steps: - name: Set up Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@12fd324f1d0b43274fdc8130f6980590a667c455 # v1.312.0 with: ruby-version: ${{ inputs.rubyVersion }} diff --git a/.github/actions/dependencies/install-docker/action.yml b/.github/actions/dependencies/install-docker/action.yml index acd1a15..8a46c72 100644 --- a/.github/actions/dependencies/install-docker/action.yml +++ b/.github/actions/dependencies/install-docker/action.yml @@ -9,12 +9,12 @@ runs: run: "docker --version" - name: Set up QEMU - uses: docker/setup-qemu-action@v4 + uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0 with: platforms: all - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 with: platforms: linux/amd64,linux/arm64,linux/ppc64le,linux/s390x driver: docker diff --git a/.github/actions/dependencies/install-helm/setup-helm.sh b/.github/actions/dependencies/install-helm/setup-helm.sh index e43b3e8..ff57cf7 100755 --- a/.github/actions/dependencies/install-helm/setup-helm.sh +++ b/.github/actions/dependencies/install-helm/setup-helm.sh @@ -13,7 +13,7 @@ function install_helm3 { fi export HELM_INSTALL_DIR=/usr/bin - curl https://raw.githubusercontent.com/kubernetes/helm/master/scripts/get > get_helm.sh + curl https://raw.githubusercontent.com/helm/helm/06468084e85c244c712834933d25ea232a4c2093/scripts/get > get_helm.sh # v4.2.0 # we need to modify the script with a different path because on the Azure pipelines the HELM_INSTALL_DIR env var is not honoured sed -i 's#/usr/local/bin#/usr/bin#g' get_helm.sh chmod 700 get_helm.sh diff --git a/.github/actions/dependencies/setup-java/action.yml b/.github/actions/dependencies/setup-java/action.yml index a6710b1..661a459 100644 --- a/.github/actions/dependencies/setup-java/action.yml +++ b/.github/actions/dependencies/setup-java/action.yml @@ -19,11 +19,11 @@ runs: using: "composite" steps: - name: Set up Maven - uses: stCarolas/setup-maven@v5.1 + uses: stCarolas/setup-maven@12eb41b233df95d49b0c11fc1b5bc8312e5d4ce0 # v5.1 with: maven-version: ${{ inputs.mavenVersion }} - - uses: actions/setup-java@v5 + - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: ${{ inputs.javaDistro }} java-version: ${{ inputs.javaVersion }} diff --git a/.github/actions/dependencies/setup-kind/action.yml b/.github/actions/dependencies/setup-kind/action.yml index 41f6da6..530595f 100644 --- a/.github/actions/dependencies/setup-kind/action.yml +++ b/.github/actions/dependencies/setup-kind/action.yml @@ -32,7 +32,7 @@ runs: steps: - name: Cache registry Docker image id: cache-registry - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: /tmp/registry-image-${{ inputs.architecture }}.tar key: registry-image @@ -52,7 +52,7 @@ runs: - name: Cache cloud-provider-kind container image id: cache-cloud-provider-kind - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: /tmp/cloud-provider-kind-image-${{ inputs.architecture }}.tar key: cloud-provider-kind diff --git a/.github/actions/dependencies/setup-minikube/action.yml b/.github/actions/dependencies/setup-minikube/action.yml index 8ba1b83..0333856 100644 --- a/.github/actions/dependencies/setup-minikube/action.yml +++ b/.github/actions/dependencies/setup-minikube/action.yml @@ -24,7 +24,7 @@ runs: steps: - name: Cache registry Docker image id: cache-registry - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: /tmp/registry-image.tar key: registry-image diff --git a/.github/actions/utils/check-permissions/action.yml b/.github/actions/utils/check-permissions/action.yml index 87f2be1..659f201 100644 --- a/.github/actions/utils/check-permissions/action.yml +++ b/.github/actions/utils/check-permissions/action.yml @@ -13,7 +13,7 @@ runs: using: composite steps: - name: Check repository permission / team membership - uses: actions/github-script@v9 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: TEAM: ${{ inputs.team }} MESSAGE: ${{ inputs.message }} diff --git a/.github/actions/utils/determine-ref/action.yml b/.github/actions/utils/determine-ref/action.yml index 59fd5c1..a3742a4 100644 --- a/.github/actions/utils/determine-ref/action.yml +++ b/.github/actions/utils/determine-ref/action.yml @@ -14,7 +14,7 @@ runs: steps: - name: Determine ref and SHA id: determine - uses: actions/github-script@v9 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: script: | const {owner, repo} = context.repo; diff --git a/.github/actions/utils/should-run/action.yml b/.github/actions/utils/should-run/action.yml index ef4bf7f..be711b6 100644 --- a/.github/actions/utils/should-run/action.yml +++ b/.github/actions/utils/should-run/action.yml @@ -11,7 +11,7 @@ runs: steps: - name: Should Run id: should_run - uses: actions/github-script@v9 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: script: | const ev = context.eventName; diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..325bfd2 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + # Workflows are loaded automatically when / is specified in the directories list + directories: + - "/" + - "/.github/actions/build/*" + - "/.github/actions/dependencies/*" + - "/.github/actions/utils/*" + schedule: + interval: "weekly" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..4d6e154 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,30 @@ +name: "CodeQL" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '23 17 * * 3' + +permissions: + contents: read + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + + - name: Initialize CodeQL + uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 + with: + languages: actions + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 69f4abb..f8f9ca4 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -16,7 +16,7 @@ jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: docker://rhysd/actionlint:1.7.10 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: docker://rhysd/actionlint@sha256:b1934ee5f1c509618f2508e6eb47ee0d3520686341fec936f3b79331f9315667 # v1.7.12 with: args: -color diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 62f8688..a89f2e5 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -12,6 +12,9 @@ on: required: false type: string +permissions: + contents: read + jobs: release: runs-on: ubuntu-latest @@ -31,7 +34,7 @@ jobs: echo "major=${BASH_REMATCH[1]}" >> "$GITHUB_OUTPUT" - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 diff --git a/.github/workflows/reusable-test-integrations.yml b/.github/workflows/reusable-test-integrations.yml index f464b86..abb23fd 100644 --- a/.github/workflows/reusable-test-integrations.yml +++ b/.github/workflows/reusable-test-integrations.yml @@ -74,13 +74,13 @@ jobs: timeout-minutes: 60 steps: - name: Checkout ${{ inputs.repo }} - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: repository: ${{ inputs.repo }} ref: ${{ inputs.ref }} - name: Checkout github-actions - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: repository: strimzi/github-actions ref: ${{ inputs.githubActionsRef || github.sha }} @@ -145,13 +145,13 @@ jobs: timeout-minutes: 20 steps: - name: Checkout ${{ inputs.repo }} - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: repository: ${{ inputs.repo }} ref: ${{ inputs.ref }} - name: Checkout github-actions - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: repository: strimzi/github-actions ref: ${{ inputs.githubActionsRef || github.sha }} @@ -261,13 +261,13 @@ jobs: timeout-minutes: 45 steps: - name: Checkout ${{ inputs.repo }} - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: repository: ${{ inputs.repo }} ref: ${{ inputs.ref }} - name: Checkout github-actions - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: repository: strimzi/github-actions ref: ${{ inputs.githubActionsRef || github.sha }} @@ -301,13 +301,13 @@ jobs: timeout-minutes: 20 steps: - name: Checkout ${{ inputs.repo }} - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: repository: ${{ inputs.repo }} ref: ${{ inputs.ref }} - name: Checkout github-actions - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: repository: strimzi/github-actions ref: ${{ inputs.githubActionsRef || github.sha }} @@ -353,13 +353,13 @@ jobs: timeout-minutes: 15 steps: - name: Checkout ${{ inputs.repo }} - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: repository: ${{ inputs.repo }} ref: ${{ inputs.ref }} - name: Checkout github-actions - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: repository: strimzi/github-actions ref: ${{ inputs.githubActionsRef || github.sha }} @@ -434,13 +434,13 @@ jobs: steps: - name: Checkout ${{ inputs.repo }} - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: repository: ${{ inputs.repo }} ref: ${{ inputs.ref }} - name: Checkout github-actions - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: repository: strimzi/github-actions ref: ${{ inputs.githubActionsRef || github.sha }} diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml new file mode 100644 index 0000000..5367f71 --- /dev/null +++ b/.github/workflows/scorecards.yml @@ -0,0 +1,63 @@ +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '39 7 * * 6' + push: + branches: [ "main" ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + + steps: + - name: "Checkout code" + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecard on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard (optional). + # Commenting out will disable upload of results to your repo's Code Scanning dashboard + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 + with: + sarif_file: results.sarif diff --git a/.github/workflows/test-dependencies.yml b/.github/workflows/test-dependencies.yml index e50876d..f742f97 100644 --- a/.github/workflows/test-dependencies.yml +++ b/.github/workflows/test-dependencies.yml @@ -23,7 +23,7 @@ jobs: name: Test install-docker runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Run install-docker action uses: ./.github/actions/dependencies/install-docker @@ -53,7 +53,7 @@ jobs: - 'v3.20.0' - 'v3.16.0' steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Run install-helm action uses: ./.github/actions/dependencies/install-helm @@ -83,7 +83,7 @@ jobs: - '0.11.0' - '0.10.0' steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Run install-shellcheck action uses: ./.github/actions/dependencies/install-shellcheck @@ -114,7 +114,7 @@ jobs: - '1.0.0' - '1.20.0' steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Run install-syft action uses: ./.github/actions/dependencies/install-syft @@ -139,7 +139,7 @@ jobs: - 'v4.6.3' - 'v4.52.2' steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Run install-yq action uses: ./.github/actions/dependencies/install-yq @@ -163,7 +163,7 @@ jobs: javaVersion: ['17', '21'] mavenVersion: ['3.9.9', '3.8.8'] steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Run setup-java action uses: ./.github/actions/dependencies/setup-java @@ -208,7 +208,7 @@ jobs: workerNodes: 3 expectedK8sVersion: "1.35" steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Run setup-kind action uses: ./.github/actions/dependencies/setup-kind @@ -304,7 +304,7 @@ jobs: - 'v1.30.0' - 'v1.35.0' steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Run setup-minikube action uses: ./.github/actions/dependencies/setup-minikube diff --git a/.github/workflows/test-utils.yml b/.github/workflows/test-utils.yml index 5fa7482..8220c9a 100644 --- a/.github/workflows/test-utils.yml +++ b/.github/workflows/test-utils.yml @@ -16,13 +16,13 @@ jobs: test-check-permissions: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 # Install dependencies - name: Install act run: | # Install act for workflow testing - curl -s https://raw.githubusercontent.com/nektos/act/master/install.sh | sudo bash + curl -s https://raw.githubusercontent.com/nektos/act/4f411281417e88660bea1c1a1749aa71ae0bd60f/install.sh | sudo bash # v0.2.89 sudo install -m 0755 ./bin/act /usr/local/bin/act - name: Install yq @@ -110,13 +110,13 @@ jobs: test-should-run: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 # Install dependencies - name: Install act run: | # Install act for workflow testing - curl -s https://raw.githubusercontent.com/nektos/act/master/install.sh | sudo bash + curl -s https://raw.githubusercontent.com/nektos/act/4f411281417e88660bea1c1a1749aa71ae0bd60f/install.sh | sudo bash # v0.2.89 sudo install -m 0755 ./bin/act /usr/local/bin/act - name: Install yq diff --git a/README.md b/README.md index 20e3be9..0fe0ebe 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,4 @@ +[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/strimzi/github-actions/badge)](https://scorecard.dev/viewer/?uri=github.com/strimzi/github-actions) [![Build Status - dependencies](https://github.com/strimzi/github-actions/actions/workflows/test-dependencies.yml/badge.svg)](https://github.com/strimzi/github-actions/actions/workflows/test-dependencies.yml) [![Build Status - integrations](https://github.com/strimzi/github-actions/actions/workflows/test-integrations.yml/badge.svg)](https://github.com/strimzi/github-actions/actions/workflows/test-integrations.yml) [![Build Status - utils](https://github.com/strimzi/github-actions/actions/workflows/test-utils.yml/badge.svg)](https://github.com/strimzi/github-actions/actions/workflows/test-utils.yml) diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..bf0e31f --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,7 @@ +# Security Policy + +This repository follows the [Strimzi organization security policy](https://github.com/strimzi/.github/blob/main/SECURITY.md). + +To report a security vulnerability, please email [cncf-strimzi-maintainers@lists.cncf.io](mailto:cncf-strimzi-maintainers@lists.cncf.io). + +**Please do not file public GitHub issues for security vulnerabilities.**