Skip to content

Commit 0041b4f

Browse files
alexweavalexweav
committed
harden actions
Signed-off-by: Alex Weaver <[email protected]>
1 parent 87cb2cd commit 0041b4f

File tree

8 files changed

+63
-28
lines changed

8 files changed

+63
-28
lines changed

.github/workflows/check-codeowners.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,8 @@ jobs:
77
runs-on: ubuntu-latest
88
steps:
99
- uses: actions/checkout@v4
10+
with:
11+
persist-credentials: false
1012
- name: install yq
1113
run: |
1214
sudo snap install yq

.github/workflows/ci.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,8 @@ name: CI
22

33
on: pull_request
44

5+
permissions: {}
6+
57
jobs:
68
call-check-codeowners:
79
uses: ./.github/workflows/check-codeowners.yaml

.github/workflows/lint-test.yaml

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,7 @@ on:
2929

3030
env:
3131
CT_CONFIGFILE: ${{ inputs.ct_configfile }}
32+
CT_CHECK_VERSION_INCREMENT: ${{ inputs.ct_check_version_increment }}
3233

3334
jobs:
3435
lint-test:
@@ -38,9 +39,10 @@ jobs:
3839
uses: actions/checkout@v4
3940
with:
4041
fetch-depth: 0
42+
persist-credentials: false
4143

4244
- name: Set up Helm
43-
uses: azure/setup-helm@v4
45+
uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
4446
with:
4547
version: ${{ inputs.helm_version }}
4648

@@ -52,7 +54,7 @@ jobs:
5254
python-version: 3.12
5355

5456
- name: Set up chart-testing
55-
uses: helm/[email protected]
57+
uses: helm/chart-testing-action@5f16c27cf7a4fa9c776ff73734df3909b2b65127 # v2.1.0
5658

5759
- name: Run chart-testing (list-changed)
5860
id: list-changed
@@ -63,10 +65,10 @@ jobs:
6365
fi
6466
6567
- name: Run chart-testing (lint)
66-
run: ct lint --config "${CT_CONFIGFILE}" --check-version-increment=${{ inputs.ct_check_version_increment }}
68+
run: ct lint --config "${CT_CONFIGFILE}" --check-version-increment="${CT_CHECK_VERSION_INCREMENT}"
6769

6870
- name: Create kind cluster
69-
uses: helm/[email protected]
71+
uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0
7072
if: steps.list-changed.outputs.changed == 'true'
7173
with:
7274
kubectl_version: ${{ inputs.kind_kubectl_version }}

.github/workflows/linter.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,8 @@ jobs:
1919
steps:
2020
- name: Checkout Code
2121
uses: actions/checkout@v4
22+
with:
23+
persist-credentials: false
2224

2325
- name: Check Docs
2426
run: |

.github/workflows/release.yaml

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -18,14 +18,15 @@ jobs:
1818
uses: actions/checkout@v4
1919
with:
2020
fetch-depth: 0
21+
persist-credentials: false
2122

2223
- name: Configure Git
2324
run: |
2425
git config user.name "$GITHUB_ACTOR"
2526
git config user.email "[email protected]"
2627
2728
- name: Set up Helm
28-
uses: azure/setup-helm@v4
29+
uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
2930
with:
3031
version: v3.12.0
3132

@@ -39,7 +40,7 @@ jobs:
3940
helm repo add minio-new https://charts.min.io
4041
4142
- name: Run chart-releaser
42-
uses: helm/[email protected]
43+
uses: helm/chart-releaser-action@be16258da8010256c6e82849661221415f031968 # v1.5.0
4344
with:
4445
charts_dir: charts
4546
config: cr.yaml
@@ -48,7 +49,7 @@ jobs:
4849
CR_SKIP_EXISTING: "true"
4950

5051
- name: Login to GHCR
51-
uses: docker/[email protected]
52+
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
5253
with:
5354
registry: ghcr.io
5455
username: ${{ github.actor }}

.github/workflows/sync-readme.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,11 +13,14 @@ jobs:
1313
runs-on: ubuntu-latest
1414
steps:
1515
- uses: actions/checkout@v4
16+
with:
17+
persist-credentials: false
1618
- run: |
1719
cp -f README.md ${{ runner.temp }}/README.md
1820
- uses: actions/checkout@v4
1921
with:
2022
ref: gh-pages
23+
persist-credentials: false
2124
- run: |
2225
cp -f ${{ runner.temp }}/README.md .
2326
git config user.name "$GITHUB_ACTOR"

.github/workflows/update-helm-repo.yaml

Lines changed: 38 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,7 @@ env:
4141
CR_PACKAGE_PATH: "${{ github.workspace }}/.cr-release-packages"
4242
CR_TOOL_PATH: "${{ github.workspace }}/.cr-tool"
4343
HELM_TAG_PREFIX: "${{ inputs.helm_tag_prefix }}"
44+
REF_NAME: "${{ github.ref_name }}"
4445

4546
jobs:
4647
setup:
@@ -54,9 +55,10 @@ jobs:
5455
with:
5556
fetch-depth: 0
5657
path: source
58+
persist-credentials: false
5759

5860
- name: Set up chart-testing
59-
uses: helm/[email protected]
61+
uses: helm/chart-testing-action@5f16c27cf7a4fa9c776ff73734df3909b2b65127 # v2.1.0
6062

6163
- name: List changed charts
6264
id: list-changed
@@ -65,8 +67,8 @@ jobs:
6567
6668
latest_tag=$( if ! git describe --tags --abbrev=0 2> /dev/null ; then git rev-list --max-parents=0 --first-parent HEAD ; fi )
6769
68-
echo "Running: ct list-changed --config ${CT_CONFIGFILE} --since ${latest_tag} --target-branch ${{ github.ref_name }}"
69-
changed=$(ct list-changed --config "${CT_CONFIGFILE}" --since "${latest_tag}" --target-branch "${{ github.ref_name }}")
70+
echo "Running: ct list-changed --config ${CT_CONFIGFILE} --since ${latest_tag} --target-branch ${REF_NAME}"
71+
changed=$(ct list-changed --config "${CT_CONFIGFILE}" --since "${latest_tag}" --target-branch "${REF_NAME}")
7072
echo "${changed}"
7173
num_changed=$(wc -l <<< ${changed})
7274
if [[ "${num_changed}" -gt "1" ]] ; then
@@ -102,25 +104,29 @@ jobs:
102104
steps:
103105
- name: Create a GitHub App installation access token
104106
if: env.github_app_id != ''
105-
uses: tibdex/github-app-token@v2
107+
uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
106108
id: app-token
107109
with:
108-
app_id: ${{ secrets.github_app_id }}
110+
app_id: ${github_app_id}
109111
private_key: ${{ secrets.github_app_pem }}
110112

111113
- name: Set the correct token (Github App or PAT)
114+
env:
115+
HELM_REPO_TOKEN: ${{ secrets.helm_repo_token }}
116+
APP_TOKEN: ${{ steps.app-token.outputs.token }}
112117
run: |
113-
if [[ "${{ env.github_app_id }}" == '' ]]; then
114-
echo "AUTHTOKEN=${{ secrets.helm_repo_token }}" >> $GITHUB_ENV
118+
if [[ "${github_app_id}" == '' ]]; then
119+
echo "AUTHTOKEN=${HELM_REPO_TOKEN}" >> $GITHUB_ENV
115120
else
116-
echo "AUTHTOKEN=${{ steps.app-token.outputs.token }}" >> $GITHUB_ENV
121+
echo "AUTHTOKEN=${APP_TOKEN}" >> $GITHUB_ENV
117122
fi
118123
119124
- name: Checkout
120125
uses: actions/checkout@v4
121126
with:
122127
fetch-depth: 0
123128
path: source
129+
persist-credentials: false
124130

125131
- name: Configure Git
126132
run: |
@@ -136,6 +142,7 @@ jobs:
136142
repository: grafana/helm-charts
137143
path: helm-charts
138144
token: ${{ env.AUTHTOKEN }}
145+
persist-credentials: false
139146

140147
- name: Configure Git for helm-charts
141148
run: |
@@ -144,15 +151,17 @@ jobs:
144151
git config user.email "[email protected]"
145152
146153
- name: Install Helm
147-
uses: azure/setup-helm@v4
154+
uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
148155
with:
149156
version: v3.16.2
150157

151158
- name: Parse Chart.yaml
152159
id: parse-chart
160+
env:
161+
CHARTPATH: ${{ needs.setup.outputs.chartpath }}
153162
run: |
154163
cd source
155-
changed="${{ needs.setup.outputs.chartpath }}"
164+
changed="${CHARTPATH}"
156165
description=$(yq ".description" < ${changed}/Chart.yaml)
157166
name=$(yq ".name" < ${changed}/Chart.yaml)
158167
version=$(yq ".version" < ${changed}/Chart.yaml)
@@ -166,10 +175,12 @@ jobs:
166175
echo "packagename=${name}-${version}" >> $GITHUB_OUTPUT
167176
168177
- name: Add dependency chart repos
178+
env:
179+
CHARTPATH: ${{ steps.parse-chart.outputs.chartpath }}
169180
run: |
170181
cd source
171182
# Skip the header line and make sure that tabs are expanded into spaces
172-
deps=$(helm dependency list "${{ steps.parse-chart.outputs.chartpath }}" | tail +2 | expand)
183+
deps=$(helm dependency list "${CHARTPATH}" | tail +2 | expand)
173184
while read -r row; do
174185
IFS=' ' read -ra parts <<< "$row"
175186
name="${parts[0]}"
@@ -190,20 +201,24 @@ jobs:
190201
rm -f cr.tar.gz
191202
192203
- name: Create helm package
204+
env:
205+
CHARTPATH: ${{ steps.parse-chart.outputs.chartpath }}
193206
run: |
194207
cd source
195-
"${CR_TOOL_PATH}/cr" package "${{ steps.parse-chart.outputs.chartpath }}" --config "${CR_CONFIGFILE}" --package-path "${CR_PACKAGE_PATH}"
208+
"${CR_TOOL_PATH}/cr" package "${CHARTPATH}" --config "${CR_CONFIGFILE}" --package-path "${CR_PACKAGE_PATH}"
196209
echo "Result of chart package:"
197210
ls -l "${CR_PACKAGE_PATH}"
198211
199212
- name: Create tag and check if exists on origin
213+
env:
214+
TAGNAME: ${{ steps.parse-chart.outputs.tagname }}
200215
run: |
201216
cd source
202-
echo "Making tag ${{ steps.parse-chart.outputs.tagname }}"
203-
git tag "${{ steps.parse-chart.outputs.tagname }}"
217+
echo "Making tag ${TAGNAME}"
218+
git tag "${TAGNAME}"
204219
205220
- name: Make github release
206-
uses: softprops/action-gh-release@v1
221+
uses: softprops/action-gh-release@b21b43df682dab285bf5146c1955e7f3560805f8 # tags/v1
207222
with:
208223
body: |
209224
${{ steps.parse-chart.outputs.desc }}
@@ -219,18 +234,20 @@ jobs:
219234
token: ${{ env.AUTHTOKEN }}
220235

221236
- name: Push release tag on origin
237+
env:
238+
TAGNAME: ${{ steps.parse-chart.outputs.tagname }}
222239
run: |
223240
cd source
224-
echo "Pushing tag ${{ steps.parse-chart.outputs.tagname }}"
225-
git push origin "${{ steps.parse-chart.outputs.tagname }}"
241+
echo "Pushing tag ${TAGNAME}"
242+
git push origin "${TAGNAME}"
226243
227244
- name: Update helm repo index.yaml
228245
run: |
229246
cd helm-charts
230247
"${CR_TOOL_PATH}/cr" index --config "${CR_CONFIGFILE}" --token "${{ env.AUTHTOKEN }}" --index-path "${CR_INDEX_PATH}" --package-path "${CR_PACKAGE_PATH}" --push
231248
232249
- name: Login to GHCR
233-
uses: docker/[email protected]
250+
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
234251
with:
235252
registry: ghcr.io
236253
username: ${{ github.actor }}
@@ -239,5 +256,7 @@ jobs:
239256
password: ${{ secrets.GITHUB_TOKEN }}
240257

241258
- name: Push charts to GHCR
259+
env:
260+
PACKAGENAME: ${{ steps.parse-chart.outputs.packagename }}
242261
run: |
243-
helm push "${{ env.CR_PACKAGE_PATH }}/${{ steps.parse-chart.outputs.packagename }}.tgz" "oci://ghcr.io/${GITHUB_REPOSITORY_OWNER}/helm-charts"
262+
helm push "${CR_PACKAGE_PATH}/${PACKAGENAME}.tgz" "oci://ghcr.io/${GITHUB_REPOSITORY_OWNER}/helm-charts"

.github/workflows/validate-pr.yaml

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,10 @@ on:
88
- reopened
99
- synchronize
1010

11+
permissions:
12+
pull-requests: read
13+
contents: read
14+
1115
jobs:
1216
validate:
1317
runs-on: ubuntu-latest
@@ -16,10 +20,10 @@ jobs:
1620
uses: actions/checkout@v4
1721
with:
1822
fetch-depth: 0
23+
persist-credentials: false
1924

2025
- name: Set up chart-testing
21-
uses: helm/[email protected]
22-
26+
uses: helm/chart-testing-action@b0d4458c71155b54fcf33e11dd465dc923550009 # v2.0.1
2327
- name: Validate PR
2428
run: scripts/validate-pr.sh
2529
env:

0 commit comments

Comments
 (0)