diff --git a/.github/actions/documentation/Dockerfile b/.github/actions/documentation/Dockerfile index dc8b553fc..14bc51fc8 100644 --- a/.github/actions/documentation/Dockerfile +++ b/.github/actions/documentation/Dockerfile @@ -1,4 +1,4 @@ -FROM registry.access.redhat.com/ubi9/python-39:1-161 +FROM registry.access.redhat.com/ubi9/python-39:1-161@sha256:28cdbc26c697050370095ff2cffa1b8403f5501720b99f3796efeee896e1727d # Pin versions in pip. # hadolint ignore=DL3013 diff --git a/.github/dependabot.yml b/.github/dependabot.yml index e3a5727bd..641ccadd7 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -13,3 +13,8 @@ updates: directory: / schedule: interval: daily + + - package-ecosystem: docker + directory: /.github/actions/documentation + schedule: + interval: daily diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 0b82f83af..9f1ee8ca4 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -22,6 +22,9 @@ on: # workflow_dispatch allows manual triggering of this workflow. workflow_dispatch: +permissions: + contents: read + jobs: analyze: name: Analyze @@ -39,17 +42,22 @@ jobs: # Learn more about CodeQL language support at https://git.io/codeql-language-support steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 - name: Set up Go 1.22 - uses: actions/setup-go@v5 + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: 1.22.2 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3 with: languages: ${{ matrix.language }} tools: latest @@ -61,7 +69,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -75,4 +83,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3 diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 000000000..3f3456223 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,27 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, +# PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - name: 'Checkout Repository' + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - name: 'Dependency Review' + uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1 diff --git a/.github/workflows/do-not-merge.yaml b/.github/workflows/do-not-merge.yaml index 4c252a86f..7bc07e7ca 100644 --- a/.github/workflows/do-not-merge.yaml +++ b/.github/workflows/do-not-merge.yaml @@ -4,12 +4,20 @@ on: pull_request: types: [synchronize, opened, reopened, labeled, unlabeled] +permissions: + contents: read + jobs: do-not-merge: if: ${{ contains(github.event.*.labels.*.name, 'do not merge') }} name: Prevent Merging runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Check for label run: | echo "Pull request is labeled as 'do not merge'" diff --git a/.github/workflows/doc-publish.yml b/.github/workflows/doc-publish.yml index 242520d87..204042d06 100644 --- a/.github/workflows/doc-publish.yml +++ b/.github/workflows/doc-publish.yml @@ -6,18 +6,26 @@ on: branches: - master - main +permissions: + contents: read + jobs: deploy: runs-on: ubuntu-latest permissions: contents: write steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 - name: generate site uses: ./.github/actions/documentation - name: Deploy - uses: peaceiris/actions-gh-pages@v4 + uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: ./site diff --git a/.github/workflows/merge.yaml b/.github/workflows/merge.yaml index ecb274946..9d0225541 100644 --- a/.github/workflows/merge.yaml +++ b/.github/workflows/merge.yaml @@ -4,12 +4,20 @@ on: pull_request: types: [ closed ] +permissions: + contents: read + jobs: do-not-merge: if: ${{ contains(github.event.*.labels.*.name, 'do not merge') }} name: Prevent Merging runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Check for label run: | echo "Pull request is labeled as 'do not merge'" @@ -21,13 +29,18 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Set up Go 1.22 - uses: actions/setup-go@v5 + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: 1.22.2 - name: Check out code into the Go module directory - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 - name: Run Tests run: make test @@ -38,5 +51,10 @@ jobs: if: github.event.pull_request.merged == false runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - run: | echo PR #${{ github.event.number }} has been closed without being merged diff --git a/.github/workflows/pre-main.yaml b/.github/workflows/pre-main.yaml index 7876a6237..d1bd5e129 100644 --- a/.github/workflows/pre-main.yaml +++ b/.github/workflows/pre-main.yaml @@ -41,8 +41,13 @@ jobs: SHELL: /bin/bash steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Set up Go 1.22 - uses: actions/setup-go@v5 + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: 1.22.2 @@ -50,7 +55,7 @@ jobs: run: echo "::remove-matcher owner=go::" - name: Check out code into the Go module directory - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: ref: ${{ github.sha }} @@ -60,7 +65,7 @@ jobs: SHELL: /bin/bash - name: Extract dependent Pull Requests - uses: depends-on/depends-on-action@main + uses: depends-on/depends-on-action@9e8a61fce18b15281e831f1bba0e14c71d1e1f46 # main with: token: ${{ secrets.GITHUB_TOKEN }} @@ -70,10 +75,10 @@ jobs: chmod +x $CM_BIN - name: Install Shfmt - uses: mfinelli/setup-shfmt@v3 + uses: mfinelli/setup-shfmt@031e887e39d899d773a7e9b6dd6472c2c23ff50d # v3.0.1 - name: Golangci-lint - uses: golangci/golangci-lint-action@v5 + uses: golangci/golangci-lint-action@82d40c283aeb1f2b6595839195e95c2d6a49081b # v5.0.0 with: version: v1.56 args: --timeout 10m0s @@ -82,7 +87,7 @@ jobs: run: checkmake --config=.checkmake Makefile - name: Hadolint - uses: hadolint/hadolint-action@v3.1.0 + uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 with: dockerfile: Dockerfile recursive: true @@ -91,18 +96,18 @@ jobs: run: shfmt -d *.sh script - name: Markdownlint - uses: nosborn/github-action-markdown-cli@v3.3.0 + uses: nosborn/github-action-markdown-cli@9b5e871c11cc0649c5ac2526af22e23525fa344d # v3.3.0 with: files: . - name: ShellCheck - uses: ludeeus/action-shellcheck@master + uses: ludeeus/action-shellcheck@cd81f4475ab741e097ec0fe73b692f3e49d66b8c # master # - name: Typos # uses: crate-ci/typos@master - name: Yamllint - uses: ibiqlik/action-yamllint@v3 + uses: ibiqlik/action-yamllint@2576378a8e339169678f9939646ee3ee325e845c # v3.1.1 with: config_file: .yamllint.yml @@ -118,8 +123,13 @@ jobs: SHELL: /bin/bash steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Set up Go 1.22 - uses: actions/setup-go@v5 + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: 1.22.2 @@ -127,7 +137,7 @@ jobs: run: echo "::remove-matcher owner=go::" - name: Check out code into the Go module directory - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: ref: ${{ github.sha }} @@ -137,7 +147,7 @@ jobs: SHELL: /bin/bash - name: Extract dependent Pull Requests - uses: depends-on/depends-on-action@main + uses: depends-on/depends-on-action@9e8a61fce18b15281e831f1bba0e14c71d1e1f46 # main with: token: ${{ secrets.GITHUB_TOKEN }} @@ -171,6 +181,11 @@ jobs: PFLT_DOCKERCONFIG: '/home/runner/.docker/config' steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Write temporary docker file run: | mkdir -p /home/runner/.docker @@ -178,7 +193,7 @@ jobs: echo '{ "auths": {} }' >> ${PFLT_DOCKERCONFIG} - name: Set up Go 1.22 - uses: actions/setup-go@v5 + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: 1.22.2 @@ -186,7 +201,7 @@ jobs: run: echo "::remove-matcher owner=go::" - name: Check out code into the Go module directory - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: ref: ${{ github.sha }} @@ -196,7 +211,7 @@ jobs: SHELL: /bin/bash - name: Extract dependent Pull Requests - uses: depends-on/depends-on-action@main + uses: depends-on/depends-on-action@9e8a61fce18b15281e831f1bba0e14c71d1e1f46 # main with: token: ${{ secrets.GITHUB_TOKEN }} @@ -222,13 +237,13 @@ jobs: # Create a Kind cluster for testing. - name: Check out `cnf-certification-test-partner` - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: repository: test-network-function/cnf-certification-test-partner path: cnf-certification-test-partner - name: Bootstrap cluster, docker, and python - uses: nick-fields/retry@v3 + uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0 with: timeout_minutes: 90 max_attempts: 3 @@ -249,14 +264,14 @@ jobs: sudo ls -la /mnt/docker-storage - name: Run 'make rebuild-cluster' - uses: nick-fields/retry@v3 + uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0 with: timeout_minutes: 90 max_attempts: 3 command: cd ${GITHUB_WORKSPACE}/cnf-certification-test-partner && make rebuild-cluster - name: Run 'make install' - uses: nick-fields/retry@v3 + uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0 with: timeout_minutes: 90 max_attempts: 3 @@ -267,7 +282,7 @@ jobs: run: TNF_LOG_LEVEL=${TNF_SMOKE_TESTS_LOG_LEVEL} ./run-cnf-suites.sh -l "${SMOKE_TESTS_LABELS_FILTER}" - name: Upload smoke test results as an artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 if: always() with: name: smoke-tests @@ -287,7 +302,7 @@ jobs: run: TNF_LOG_LEVEL=${TNF_SMOKE_TESTS_LOG_LEVEL} ./run-cnf-suites.sh -l "preflight" - name: Upload preflight smoke test results as an artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 if: always() with: name: preflight-smoke-tests @@ -306,6 +321,11 @@ jobs: PFLT_DOCKERCONFIG: '/home/runner/.docker/config' steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Write temporary docker file run: | mkdir -p /home/runner/.docker @@ -314,13 +334,13 @@ jobs: # Create a Kind cluster for testing. - name: Check out `cnf-certification-test-partner` - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: repository: test-network-function/cnf-certification-test-partner path: cnf-certification-test-partner - name: Bootstrap cluster, docker, and python - uses: nick-fields/retry@v3 + uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0 with: timeout_minutes: 90 max_attempts: 3 @@ -341,14 +361,14 @@ jobs: sudo ls -la /mnt/docker-storage - name: Run 'make rebuild-cluster' - uses: nick-fields/retry@v3 + uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0 with: timeout_minutes: 90 max_attempts: 3 command: cd ${GITHUB_WORKSPACE}/cnf-certification-test-partner && make rebuild-cluster - name: Run 'make install' - uses: nick-fields/retry@v3 + uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0 with: timeout_minutes: 90 max_attempts: 3 @@ -356,23 +376,23 @@ jobs: # needed by depends-on-action - name: Set up Go 1.22 - uses: actions/setup-go@v5 + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: 1.22.2 # Perform smoke tests using a TNF container. - name: Check out code into the Go module directory - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: ref: ${{ github.sha }} - name: Extract dependent Pull Requests - uses: depends-on/depends-on-action@main + uses: depends-on/depends-on-action@9e8a61fce18b15281e831f1bba0e14c71d1e1f46 # main with: token: ${{ secrets.GITHUB_TOKEN }} - name: Build the `cnf-certification-test` image - uses: nick-fields/retry@v3 + uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0 with: timeout_minutes: 90 max_attempts: 3 @@ -382,7 +402,7 @@ jobs: # Prepare collector to be used when running smoke tests - name: Check out `Collector` - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: repository: test-network-function/collector path: collector @@ -439,7 +459,7 @@ jobs: collector_password: ${COLLECTOR_CIPASSWORD} - name: Upload container test results as an artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 if: always() with: name: smoke-tests-container @@ -465,18 +485,23 @@ jobs: runs-on: ubuntu-22.04 if: github.event_name != 'pull_request' && needs.smoke-tests-container.result == 'success' && needs.unit-tests.result == 'success' steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: ref: ${{ github.sha }} - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 - name: Login to Quay.io - uses: docker/login-action@v3 + uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 if: ${{ github.ref == 'refs/heads/main' && github.repository_owner == 'test-network-function' }} with: registry: ${{ env.REGISTRY }} @@ -484,7 +509,7 @@ jobs: password: ${{ secrets.QUAY_ROBOT_TOKEN }} - name: Build and push the unstable images for multi-arch - uses: docker/build-push-action@v5 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 if: ${{ github.ref == 'refs/heads/main' && github.repository_owner == 'test-network-function' }} with: context: . @@ -507,11 +532,16 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 - name: Check all dependent Pull Requests are merged - uses: depends-on/depends-on-action@main + uses: depends-on/depends-on-action@9e8a61fce18b15281e831f1bba0e14c71d1e1f46 # main with: token: ${{ secrets.GITHUB_TOKEN }} check-unmerged-pr: true diff --git a/.github/workflows/preflight.yml b/.github/workflows/preflight.yml index 651be9c6d..49fe66fd9 100644 --- a/.github/workflows/preflight.yml +++ b/.github/workflows/preflight.yml @@ -7,6 +7,9 @@ name: Preflight # branches: [ main ] workflow_dispatch: +permissions: + contents: read + jobs: preflight-unstable: runs-on: ubuntu-22.04 @@ -15,10 +18,15 @@ jobs: IMAGE_NAME: quay.io/testnetworkfunction/cnf-certification-test:unstable steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 - name: Set up Go 1.22 - uses: actions/setup-go@v5 + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: 1.22.2 @@ -26,7 +34,7 @@ jobs: run: echo "::remove-matcher owner=go::" - name: Clone the preflight repository - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: repository: redhat-openshift-ecosystem/openshift-preflight path: openshift-preflight diff --git a/.github/workflows/qe-hosted.yml b/.github/workflows/qe-hosted.yml index fea04bd10..594217d3a 100644 --- a/.github/workflows/qe-hosted.yml +++ b/.github/workflows/qe-hosted.yml @@ -20,16 +20,21 @@ jobs: build-image-for-qe: runs-on: ubuntu-22.04 steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: ref: ${{ github.sha }} - name: Setup docker buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 - name: Build temporary image tag for this PR - uses: docker/build-push-action@v5 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: context: . file: ./Dockerfile @@ -37,7 +42,7 @@ jobs: outputs: type=docker,dest=/tmp/testimage.tar - name: Store image as artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: testimage path: /tmp/testimage.tar @@ -60,8 +65,13 @@ jobs: SKIP_PRELOAD_IMAGES: true steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: ref: ${{ github.sha }} @@ -70,7 +80,7 @@ jobs: # Download the image from the artifact and load it into the docker daemon. - name: Setup docker buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 - name: Install dependencies run: | @@ -80,13 +90,13 @@ jobs: # Create a Kind cluster for testing. - name: Check out `cnf-certification-test-partner` - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: repository: test-network-function/cnf-certification-test-partner path: cnf-certification-test-partner - name: Bootstrap cluster, docker, and python - uses: nick-fields/retry@v3 + uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0 with: timeout_minutes: 90 max_attempts: 3 @@ -107,7 +117,7 @@ jobs: sudo ls -la /mnt/docker-storage - name: Download image from artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: testimage path: /tmp @@ -116,14 +126,14 @@ jobs: run: docker load --input /tmp/testimage.tar - name: Run 'make rebuild-cluster' - uses: nick-fields/retry@v3 + uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0 with: timeout_minutes: 90 max_attempts: 3 command: cd ${GITHUB_WORKSPACE}/cnf-certification-test-partner; make rebuild-cluster - name: Install partner resources - uses: nick-fields/retry@v3 + uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0 with: timeout_minutes: 90 max_attempts: 3 @@ -137,19 +147,19 @@ jobs: working-directory: cnf-certification-test-partner - name: Clone the QE repository - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: repository: ${{ env.QE_REPO }} path: cnfcert-tests-verification ref: main - name: Extract dependent Pull Requests - uses: depends-on/depends-on-action@main + uses: depends-on/depends-on-action@9e8a61fce18b15281e831f1bba0e14c71d1e1f46 # main with: token: ${{ secrets.GITHUB_TOKEN }} - name: Run the tests - uses: nick-fields/retry@v3 + uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0 with: timeout_minutes: 60 max_attempts: 3 diff --git a/.github/workflows/qe-ocp-414-intrusive.yaml b/.github/workflows/qe-ocp-414-intrusive.yaml index 5975b5d73..e3c3148bb 100644 --- a/.github/workflows/qe-ocp-414-intrusive.yaml +++ b/.github/workflows/qe-ocp-414-intrusive.yaml @@ -17,13 +17,18 @@ jobs: SHELL: /bin/bash FORCE_DOWNLOAD_UNSTABLE: true steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: ref: ${{ github.sha }} - name: Clone the QE repository - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: repository: ${{ env.QE_REPO }} path: cnfcert-tests-verification @@ -52,8 +57,13 @@ jobs: TNF_REPORT_DIR: '/home/labuser2/tnf_report' steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: ref: ${{ github.sha }} @@ -64,7 +74,7 @@ jobs: run: oc get pods -A - name: Clone the QE repository - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: repository: ${{ env.QE_REPO }} path: cnfcert-tests-verification @@ -84,7 +94,7 @@ jobs: sudo rm -rf ${{env.TNF_REPORT_DIR}} - name: Run the tests - uses: nick-fields/retry@v3 + uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0 with: timeout_minutes: 60 max_attempts: 3 diff --git a/.github/workflows/qe-ocp-414.yaml b/.github/workflows/qe-ocp-414.yaml index 95dbfb13d..ecc505bcd 100644 --- a/.github/workflows/qe-ocp-414.yaml +++ b/.github/workflows/qe-ocp-414.yaml @@ -17,13 +17,18 @@ jobs: SHELL: /bin/bash FORCE_DOWNLOAD_UNSTABLE: true steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: ref: ${{ github.sha }} - name: Clone the QE repository - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: repository: ${{ env.QE_REPO }} path: cnfcert-tests-verification @@ -51,8 +56,13 @@ jobs: TNF_REPORT_DIR: '/home/labuser2/tnf_report' steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: ref: ${{ github.sha }} @@ -63,7 +73,7 @@ jobs: run: oc get pods -A - name: Clone the QE repository - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: repository: ${{ env.QE_REPO }} path: cnfcert-tests-verification @@ -83,7 +93,7 @@ jobs: sudo rm -rf ${{env.TNF_REPORT_DIR}} - name: Run the tests - uses: nick-fields/retry@v3 + uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0 with: timeout_minutes: 60 max_attempts: 3 diff --git a/.github/workflows/qe-ocp-415-intrusive.yaml b/.github/workflows/qe-ocp-415-intrusive.yaml index fc5f89d55..7e2e8c892 100644 --- a/.github/workflows/qe-ocp-415-intrusive.yaml +++ b/.github/workflows/qe-ocp-415-intrusive.yaml @@ -17,13 +17,18 @@ jobs: SHELL: /bin/bash FORCE_DOWNLOAD_UNSTABLE: true steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: ref: ${{ github.sha }} - name: Clone the QE repository - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: repository: ${{ env.QE_REPO }} path: cnfcert-tests-verification @@ -52,8 +57,13 @@ jobs: TNF_REPORT_DIR: '/home/labuser/tnf_report' steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: ref: ${{ github.sha }} @@ -64,7 +74,7 @@ jobs: run: oc get pods -A - name: Clone the QE repository - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: repository: ${{ env.QE_REPO }} path: cnfcert-tests-verification @@ -84,7 +94,7 @@ jobs: sudo rm -rf ${{env.TNF_REPORT_DIR}} - name: Run the tests - uses: nick-fields/retry@v3 + uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0 with: timeout_minutes: 60 max_attempts: 3 diff --git a/.github/workflows/qe-ocp-415.yaml b/.github/workflows/qe-ocp-415.yaml index 960c7a1b0..cecd4e416 100644 --- a/.github/workflows/qe-ocp-415.yaml +++ b/.github/workflows/qe-ocp-415.yaml @@ -17,13 +17,18 @@ jobs: SHELL: /bin/bash FORCE_DOWNLOAD_UNSTABLE: true steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: ref: ${{ github.sha }} - name: Clone the QE repository - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: repository: ${{ env.QE_REPO }} path: cnfcert-tests-verification @@ -51,8 +56,13 @@ jobs: TNF_REPORT_DIR: '/home/labuser/tnf_report' steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: ref: ${{ github.sha }} @@ -63,7 +73,7 @@ jobs: run: oc get pods -A - name: Clone the QE repository - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: repository: ${{ env.QE_REPO }} path: cnfcert-tests-verification @@ -83,7 +93,7 @@ jobs: sudo rm -rf ${{env.TNF_REPORT_DIR}} - name: Run the tests - uses: nick-fields/retry@v3 + uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0 with: timeout_minutes: 60 max_attempts: 3 diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index ab28df284..075a924f6 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -31,6 +31,11 @@ jobs: # actions: read steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: "Checkout code" uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: diff --git a/.github/workflows/tnf-image.yaml b/.github/workflows/tnf-image.yaml index ba8cab268..c9616581c 100644 --- a/.github/workflows/tnf-image.yaml +++ b/.github/workflows/tnf-image.yaml @@ -47,6 +47,11 @@ jobs: PARTNER_VERSION: "" steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Write temporary docker file run: | mkdir -p /home/runner/.docker @@ -54,7 +59,7 @@ jobs: echo '{ "auths": {} }' >> ${PFLT_DOCKERCONFIG} - name: Checkout generic working branch of the current version - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: ref: ${{ env.CURRENT_VERSION_GENERIC_BRANCH }} fetch-depth: '0' @@ -110,18 +115,18 @@ jobs: run: echo "Tag '$PARTNER_VERSION' does not exist on remote $PARTNER_SRC_URL" - name: Checkout the version tag - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: ref: ${{ env.TNF_VERSION }} - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 # Push the new TNF image to Quay.io. - name: Authenticate against Quay.io - uses: docker/login-action@v3 + uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 with: registry: ${{ env.REGISTRY }} # Use a Robot Account to authenticate against Quay.io @@ -130,7 +135,7 @@ jobs: password: ${{ secrets.QUAY_ROBOT_TOKEN }} - name: Build and push the TNF image for multi-arch - uses: docker/build-push-action@v5 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: context: . file: Dockerfile diff --git a/.github/workflows/update-rhcos-mapping.yml b/.github/workflows/update-rhcos-mapping.yml index 8585671a0..6aed2fd56 100644 --- a/.github/workflows/update-rhcos-mapping.yml +++ b/.github/workflows/update-rhcos-mapping.yml @@ -5,16 +5,27 @@ on: schedule: - cron: "0 0 * * *" workflow_dispatch: +permissions: + contents: read + jobs: update-certification: + permissions: + contents: write # for peter-evans/create-pull-request to create branch + pull-requests: write # for peter-evans/create-pull-request to create a PR name: Update offline mapping of RHCOS to OCP version runs-on: ubuntu-22.04 env: SHELL: /bin/bash steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Check out code into the Go module directory - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: ref: main @@ -22,7 +33,7 @@ jobs: run: make update-rhcos-versions - name: Set up Go 1.22 - uses: actions/setup-go@v5 + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: 1.22.2 @@ -32,7 +43,7 @@ jobs: run: make test - name: Create PR - uses: peter-evans/create-pull-request@v6 + uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5 env: GITHUB_TOKEN: ${{ secrets.UPDATE_CERTIFIED_DB_TOKEN }} with: diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 000000000..691d45e43 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,22 @@ +repos: +- repo: https://github.com/gitleaks/gitleaks + rev: v8.16.3 + hooks: + - id: gitleaks +- repo: https://github.com/golangci/golangci-lint + rev: v1.52.2 + hooks: + - id: golangci-lint +- repo: https://github.com/jumanjihouse/pre-commit-hooks + rev: 3.0.0 + hooks: + - id: shellcheck +- repo: https://github.com/pre-commit/mirrors-eslint + rev: v8.38.0 + hooks: + - id: eslint +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.4.0 + hooks: + - id: end-of-file-fixer + - id: trailing-whitespace diff --git a/Dockerfile b/Dockerfile index 1eff1f4ec..6c6cb64b6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM registry.access.redhat.com/ubi9/ubi:9.3-1610 AS build +FROM registry.access.redhat.com/ubi9/ubi:9.3-1610@sha256:66233eebd72bb5baa25190d4f55e1dc3fff3a9b77186c1f91a0abdb274452072 AS build ENV TNF_DIR=/usr/tnf ENV \ TNF_SRC_DIR=${TNF_DIR}/tnf-src \ @@ -113,11 +113,11 @@ RUN \ # Using latest is prone to errors. # hadolint ignore=DL3007 -FROM quay.io/testnetworkfunction/oct:latest AS db +FROM quay.io/testnetworkfunction/oct:latest@sha256:7bc4027d44a9f77ca7f816cd117ba8a4724fceb5b1db12eb5013a4ea520fa27f AS db # Copy the state into a new flattened image to reduce size. # TODO run as non-root -FROM registry.access.redhat.com/ubi9/ubi-minimal:9.3-1612 +FROM registry.access.redhat.com/ubi9/ubi-minimal:9.3-1612@sha256:bc552efb4966aaa44b02532be3168ac1ff18e2af299d0fe89502a1d9fabafbc5 ENV \ TNF_DIR=/usr/tnf \