Open
Conversation
Previously, this was done manually by humans and was therefore not always done consistently. Sometimes dependencies would be missed, other times dependencies would not be updated at all. Additionally, we only used tags which, while good from a release point of view, were not proof against supply chain attacks. This automates the process to hopefully bring in a sense of consistently and allow us to leverage SHA sums to guard against supply chain attacks.
Ensure that the go version (and others) is the same across all points of reference. In the case of golang, we start by derriving the available go version from our distro of choice (Alpine) to ensure that it is used the same everywhere.
aauren
force-pushed
the
harden_ci_flow_and_checks
branch
from
087e338 to
74383fa
Compare
Attempts to bound the context a bit when people have to look at these files by splitting them across multiple files and making each one logical part of the CI lifecycle.
With the prevalance of recent supply chain attacks, this helps avert dependency tampering with re-released versions by pinning to specific SHA sums. This is fully compliant with dependabot as it will update both the SHA and the commented version when it does its updates. This also helps prepare for OpenSSF integration by hardening the CI process.
When this is not explicitely set, codeql still works, but if anything ever changes (with autodetection) in the future, it will just silently succeed without producing results. This corrects that by explicitely saying that we want it to look for golang.
Adds a scan target which is automatically added to the prep-release target that checks for grype vulnerabilities during the release preparation flow.
aauren
force-pushed
the
harden_ci_flow_and_checks
branch
from
74383fa to
ac1d5fb
Compare
aauren
force-pushed
the
harden_ci_flow_and_checks
branch
from
3738670 to
03fd533
Compare
mrueg
reviewed
Mar 26, 2026
| -w /go/src/github.com/cloudnativelabs/kube-router $(DOCKER_BUILD_IMAGE) \ | ||
| sh -c \ | ||
| 'go install gotest.tools/gotestsum@latest && CGO_ENABLED=0 gotestsum --format gotestdox -- -timeout 30s github.com/cloudnativelabs/kube-router/v2/cmd/kube-router/ github.com/cloudnativelabs/kube-router/v2/...' | ||
| 'go install gotest.tools/gotestsum@$(GOTESTSUM_VERSION) && CGO_ENABLED=0 gotestsum --format gotestdox -- -timeout 30s github.com/cloudnativelabs/kube-router/v2/cmd/kube-router/ github.com/cloudnativelabs/kube-router/v2/...' |
Collaborator
There was a problem hiding this comment.
We should probably use go tool / go mod tool for this instead of go install. See also: https://tip.golang.org/doc/modules/managing-dependencies#tools
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
CI Security Hardening Pull Request
What type of PR is this?
feature
What this PR does / why we need it:
Hardens the CI pipeline against supply chain attacks and improves release artifact trust. I tried to do this in a way that would balance our small maintainer team and the medium size of this repo with best practices.
This is also necessary / timely because of upcoming EU CRA compliance which requires SBOMs for software used in the EU. While kube-router isn't a sold product, its still probably a good practice to begin adopting.
This PR is chained off of #2035 and is meant to be merged after #2035 is merged and a rebase has been performed.
CI refactor:
ci.ymlinto an orchestrating caller (ci.yml) and three reusableworkflow_callworkflows (ci-checks.yml,ci-container.yml,ci-release.yml), plus a localcomposite action for the repeated checkout + setup-go steps. All jobs remain sequential via
needs:and PR status checks are fully preserved.ci-unicode-checkhas been added to check for any malicious content that might be sent with PRs but are otherwise hidden from reviews using special unicode characters.Supply chain hardening:
github-actionsconfig will maintain these automatically.golang:1.25.7-alpine3.23,alpine:3.23) pinned by digest in bothci.ymlandthe
Makefileto ensure identical builds locally and in CI.Code quality fixes:
languages: goto prevent silent scan failures if autobuild heuristicsfail
Release artifact trust:
in Rekor
cosign attest—verifiable directly from the image without visiting GitHub
actions/attestCVE scanning:
make scanadded to the Makefile (Docker-first, local fallback, sameBUILD_IN_DOCKERpatternas all other targets) using Grype to scan the locally-built container image
make prep-releasenow includesscanas its final step.grype.yamlconfiguresonly-fixed: true(suppresses Alpine CVEs with no upstream patch) andignores the self-referential kube-router finding
newly published transitive dependency CVEs, and complex conditional logic for bugfix vs
new-release branches would create uncontrollable CI failures for a small maintainer team. CodeQL
and Dependabot continue to provide automated coverage. OpenSSF Scorecard is unaffected — no
Scorecard check evaluates whether container image CVE scanning runs in CI.
OpenSSF Scorecard:
scorecard.ymlworkflow runs on push to master, weekly, and on branch protection rule changestab
gotestsum pinned:
GOTESTSUM_VERSION=v1.13.0added alongside other tool version constants; both@latestreferences replaced
Which issue(s) this PR is related to:
N/A
Was AI used during the creation of this PR?
directed the work, made all architectural decisions, reviewed every phase before committing, and
pushed back on several proposals (e.g. removing Grype from CI,
workflow_runvsworkflow_call,env var vs hardcoded versions).
selection (including upstream health evaluation of alternatives) was created and reviewed before
implementation began. The plan lives in
.plans/CiSecurityHardening/PLAN.md.proceeding. Several AI proposals were rejected or revised based on human judgment.
What, if any, amount of integration testing was done with this change in a Kubernetes environment?
No Kubernetes integration testing — this PR touches only CI workflows, the Makefile, and repository
configuration files. No kube-router runtime behaviour is changed.
make scanwas validated locallyagainst an existing built image.
Does this PR introduce a breaking change?
Anything else the reviewer should know that wasn't already covered?
Permissions model:
workflow_callrequires permissions to be granted in the caller (ci.yml) —called workflows cannot self-elevate. The
releasejob explicitly grantscontents: write,id-token: write, andattestations: write. Thecontainerjob grantsid-token: writeandattestations: write. Both are commented in the file.Digest pins will drift: The base image digests in
ci.ymland theMakefilewill go stale asAlpine and Go release patches. These are intentionally pinned for build reproducibility and CVE scan
consistency between local and CI environments. They should be updated as part of normal dependency
maintenance via
make update-deps. Dependabot does not currently track env-var image references,so this is a manual step for now.
First Scorecard run: The score will be zero/unavailable until the workflow runs on master for
the first time. Several checks (e.g.
Branch-Protection,Code-Review) depend on repositorysettings rather than code and may require separate configuration to improve.