From 7b906305997124760fcea127b8677ab5e3130c4f Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Mon, 24 Mar 2025 06:41:17 +0000 Subject: [PATCH 1/2] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/dependabot.yml | 21 ++++++++++++++++++ .github/workflows/build-push.yaml | 8 +++---- .github/workflows/build.yaml | 4 ++-- .github/workflows/dependency-review.yaml | 4 ++-- .github/workflows/lint.yaml | 28 ++++++++++++------------ .github/workflows/test-chart.yml | 9 +++++--- .github/workflows/test_operator.yaml | 9 +++++--- .github/workflows/unit-test.yaml | 4 ++-- 8 files changed, 57 insertions(+), 30 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 18e4d5c1e..d0e86ce90 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -18,8 +18,29 @@ updates: patterns: - "github.com*" + - package-ecosystem: "gomod" + directory: "/api" # Location of package manifests + schedule: + interval: "weekly" + groups: + golang-dependencies: + patterns: + - "github.com/golang*" + k8s-dependencies: + patterns: + - "k8s.io*" + - "sigs.k8s.io*" + github-dependencies: + patterns: + - "github.com*" + # Dependencies listed in .github/workflows/*.yml - package-ecosystem: "github-actions" directory: "/" schedule: interval: "weekly" + + - package-ecosystem: docker + directory: / + schedule: + interval: "weekly" diff --git a/.github/workflows/build-push.yaml b/.github/workflows/build-push.yaml index 2ce4eff4e..9152b29cc 100644 --- a/.github/workflows/build-push.yaml +++ b/.github/workflows/build-push.yaml @@ -16,16 +16,16 @@ jobs: if: github.repository == 'ceph/ceph-csi-operator' steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0 - name: Login to Quay.io - uses: docker/login-action@v3 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 with: registry: quay.io username: ${{ secrets.QUAY_IO_USERNAME }} diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index d6dcb1145..f94fbe48d 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -18,10 +18,10 @@ jobs: name: build runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 1 - - uses: actions/setup-go@v5 + - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0 with: go-version-file: go.mod - name: run make build diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml index b9d6d20ff..6d7e44608 100644 --- a/.github/workflows/dependency-review.yaml +++ b/.github/workflows/dependency-review.yaml @@ -9,6 +9,6 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: 'Dependency Review' - uses: actions/dependency-review-action@v4 + uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0 diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index cec16eb1b..de4559596 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -20,11 +20,11 @@ jobs: name: codespell runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 1 - name: codespell - uses: codespell-project/actions-codespell@master + uses: codespell-project/actions-codespell@fad9339798e1ee3fe979ae0a022c931786a408b8 # master with: skip: .git,*.sum,vendor ignore_words_list: AfterAll,NotIn,notin,immediatedly @@ -34,11 +34,11 @@ jobs: name: misspell runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 1 - name: misspell - uses: reviewdog/action-misspell@v1 + uses: reviewdog/action-misspell@9daa94af4357dddb6fd3775de806bc0a8e98d3e4 # v1.26.3 with: exclude: ./vendor/* @@ -46,10 +46,10 @@ jobs: name: golangci-lint runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 1 - - uses: actions/setup-go@v5 + - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0 with: go-version-file: go.mod - name: run golangci-lint @@ -59,21 +59,21 @@ jobs: name: govulncheck runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 1 - - uses: actions/setup-go@v5 + - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0 with: go-version-file: go.mod check-latest: true - name: govulncheck - uses: golang/govulncheck-action@v1 + uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4 markdownlint: name: markdownlint runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 1 - name: run markdownlint @@ -83,9 +83,9 @@ jobs: name: Shellcheck runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Run ShellCheck - uses: ludeeus/action-shellcheck@master + uses: ludeeus/action-shellcheck@00b27aa7cb85167568cb48a3838b75f4265f2bca # master with: severity: warning check_together: 'yes' @@ -97,10 +97,10 @@ jobs: name: modcheck runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 1 - - uses: actions/setup-go@v5 + - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0 with: go-version-file: go.mod - name: run mod check diff --git a/.github/workflows/test-chart.yml b/.github/workflows/test-chart.yml index a32427c22..2de551304 100644 --- a/.github/workflows/test-chart.yml +++ b/.github/workflows/test-chart.yml @@ -3,22 +3,25 @@ name: Test Charts on: pull_request: +permissions: + contents: read + jobs: test-operator: name: operator chart runs-on: ubuntu-latest steps: - name: Clone the code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Setup Go - uses: actions/setup-go@v5 + uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0 with: go-version-file: go.mod - name: set up tmate session for debugging if: ${{ failure() || runner.debug || contains(github.event.pull_request.labels.*.name, 'debug-ci') }} - uses: mxschmitt/action-tmate@v3 + uses: mxschmitt/action-tmate@e5c7151931ca95bad1c6f4190c730ecf8c7dde48 # v3.19 with: limit-access-to-actor: false detached: true diff --git a/.github/workflows/test_operator.yaml b/.github/workflows/test_operator.yaml index 463bf0a64..c4983ae73 100644 --- a/.github/workflows/test_operator.yaml +++ b/.github/workflows/test_operator.yaml @@ -15,22 +15,25 @@ concurrency: group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }} cancel-in-progress: true +permissions: + contents: read + jobs: test: runs-on: ubuntu-latest steps: - name: checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 - - uses: actions/setup-go@v5 + - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0 with: go-version-file: go.mod - name: set up tmate session for debugging if: ${{ failure() || runner.debug || contains(github.event.pull_request.labels.*.name, 'debug-ci') }} - uses: mxschmitt/action-tmate@v3 + uses: mxschmitt/action-tmate@e5c7151931ca95bad1c6f4190c730ecf8c7dde48 # v3.19 with: limit-access-to-actor: false detached: true diff --git a/.github/workflows/unit-test.yaml b/.github/workflows/unit-test.yaml index 1c069025c..341aca642 100644 --- a/.github/workflows/unit-test.yaml +++ b/.github/workflows/unit-test.yaml @@ -21,11 +21,11 @@ jobs: runs-on: ubuntu-latest steps: - name: checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 1 - name: setup go - uses: actions/setup-go@v5 + uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0 with: go-version-file: go.mod check-latest: true From f5fa585bed0f8aeeccb5d8b36b8d6c47e8b69865 Mon Sep 17 00:00:00 2001 From: Madhu Rajanna Date: Mon, 24 Mar 2025 07:51:40 +0100 Subject: [PATCH 2/2] ci: remove tmate from ci removing tmate from github action as its from third party Signed-off-by: Madhu Rajanna --- .github/workflows/test-chart.yml | 7 ------- .github/workflows/test_operator.yaml | 8 -------- 2 files changed, 15 deletions(-) diff --git a/.github/workflows/test-chart.yml b/.github/workflows/test-chart.yml index 2de551304..a18029c58 100644 --- a/.github/workflows/test-chart.yml +++ b/.github/workflows/test-chart.yml @@ -19,13 +19,6 @@ jobs: with: go-version-file: go.mod - - name: set up tmate session for debugging - if: ${{ failure() || runner.debug || contains(github.event.pull_request.labels.*.name, 'debug-ci') }} - uses: mxschmitt/action-tmate@e5c7151931ca95bad1c6f4190c730ecf8c7dde48 # v3.19 - with: - limit-access-to-actor: false - detached: true - - name: Setup Minikube run: | test/scripts/github-action-helper.sh install_minikube_with_none_driver diff --git a/.github/workflows/test_operator.yaml b/.github/workflows/test_operator.yaml index c4983ae73..9e9d79e4c 100644 --- a/.github/workflows/test_operator.yaml +++ b/.github/workflows/test_operator.yaml @@ -31,14 +31,6 @@ jobs: with: go-version-file: go.mod - - name: set up tmate session for debugging - if: ${{ failure() || runner.debug || contains(github.event.pull_request.labels.*.name, 'debug-ci') }} - uses: mxschmitt/action-tmate@e5c7151931ca95bad1c6f4190c730ecf8c7dde48 # v3.19 - with: - limit-access-to-actor: false - detached: true - - - name: Setup Minikube run: | test/scripts/github-action-helper.sh install_minikube_with_none_driver