Merge pull request #456 from validatedpatterns/main

sync: main to rhdp-deploy

Author: mbaldessari

.github/linters/trivy.yaml

@@ -0,0 +1,10 @@
+# Ignores are in .trivyignore
+scan:
+  scanners:
+    - vuln
+    - secret
+    - config
+  severities:
+    - MEDIUM
+    - CRITICAL
+    - HIGH

.github/workflows/ansible-lint.yml

@@ -5,10 +5,14 @@ on: [push, pull_request]
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       # Important: This sets up your GITHUB_WORKSPACE environment variable
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: Lint Ansible Playbook
         uses: ansible/ansible-lint@50373efb440dd3b524956c075af715cd00eaf20b

.github/workflows/jsonschema.yaml

@@ -10,10 +10,14 @@ jobs:
       matrix:
         python-version: [3.11]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout Code
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@v5
@@ -26,7 +30,7 @@ jobs:
           pip install check-jsonschema
 
       - name: Install yq
-        uses: chrisdickinson/setup-yq@latest
+        uses: chrisdickinson/setup-yq@fa3192edd79d6eb0e4e12de8dde3a0c26f2b853b # 2025-08-25
         with:
           yq-version: v4.30.7
 

.github/workflows/superlinter.yml

@@ -9,19 +9,23 @@ jobs:
     name: Super linter
     # Set the agent to run on
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      statuses: write
 
     steps:
       - name: Checkout Code
         uses: actions/checkout@v5
         with:
           # Full git history is needed to get a proper list of changed files within `super-linter`
           fetch-depth: 0
+          persist-credentials: false
 
       ################################
       # Run Linter against code base #
       ################################
       - name: Lint Code Base
-        uses: super-linter/super-linter/slim@v7
+        uses: super-linter/super-linter/slim@ffde3b2b33b745cb612d787f669ef9442b1339a6 # v8.1.0
         env:
           VALIDATE_ALL_CODEBASE: true
           DEFAULT_BRANCH: main
@@ -33,7 +37,6 @@ jobs:
           VALIDATE_JSCPD: false
           VALIDATE_JSON_PRETTIER: false
           VALIDATE_MARKDOWN_PRETTIER: false
-          VALIDATE_KUBERNETES_KUBECONFORM: false
           VALIDATE_PYTHON_PYLINT: false
           VALIDATE_SHELL_SHFMT: false
           VALIDATE_YAML: false

.github/workflows/sync-rhdp-branch.yml

@@ -13,16 +13,21 @@ jobs:
       github.repository_owner == 'validatedpatterns'
     runs-on: ubuntu-latest
     name: Git Sync branch
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Set up Node
         uses: actions/setup-node@v4
         with:
           node-version: 20
       - name: Opening pull request
         id: pull
-        uses: mbaldessari/[email protected]
+        uses: mbaldessari/git-sync-branch@dd2adf0ca96e52c64716d83cabe85fac33201e12 # v0.2.0
         with:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           FROM_BRANCH: "main"

.github/workflows/update-metadata.yml

@@ -18,7 +18,8 @@ jobs:
       contents: read  # Required for "read-all"
       packages: write # Allows writing to packages
       id-token: write # Allows creating OpenID Connect (OIDC) tokens
-    secrets: inherit
+    secrets:
+      DOCS_TOKEN: ${{ secrets.DOCS_TOKEN }}
     # For testing you can point to a different branch in the docs repository
     # with:
     #  DOCS_BRANCH: "main"

.trivyignore

@@ -0,0 +1,7 @@
+AVD-KSV-0110 # Missing namespace is not needed with ArgoCD
+AVD-KSV-0020 # Container 'apache' of Deployment 'hello-world' should set 'securityContext.runAsUser' > 10000. Not needed on OCP
+AVD-KSV-0021 # Container 'apache' of Deployment 'hello-world' should set 'securityContext.runAsGroup' > 10000. Not needed on OCP
+AVD-KSV-0014 # Readonly root filesystem does not work with httpd ubi images
+AVD-KSV-0125 # Container apache in deployment hello-world (namespace: default) uses an image from an untrusted registry. registry.access.redhat.com is trusted
+
+

charts/all/config-demo/templates/config-demo-deployment.yaml

@@ -18,9 +18,13 @@ spec:
         deploymentconfig: config-demo
       name: config-demo
     spec:
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - name: apache
-        image: registry.access.redhat.com/ubi8/httpd-24:1-226
+        image: registry.access.redhat.com/ubi10/httpd-24:10.0-1755779646
         #imagePullPolicy: Always
         ports:
         - containerPort: 8080
@@ -32,7 +36,28 @@ spec:
         - mountPath: /var/www/html/secret
           readOnly: true
           name: config-demo-secret
-        resources: {}
+        - mountPath: /tmp
+          name: tmp-volume
+        - mountPath: /var/cache/httpd
+          name: cache-volume
+        - mountPath: /var/run/httpd
+          name: run-volume
+        resources:
+          requests:
+            cpu: 100m
+            memory: 128Mi
+          limits:
+            cpu: 500m
+            memory: 256Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: false
+          runAsNonRoot: true
+          capabilities:
+            drop:
+            - ALL
+          seccompProfile:
+            type: RuntimeDefault
         terminationMessagePath: /dev/termination-log
         terminationMessagePolicy: File
         livenessProbe:
@@ -63,3 +88,9 @@ spec:
       - name: config-demo-secret
         secret:
           secretName: config-demo-secret
+      - name: tmp-volume
+        emptyDir: {}
+      - name: cache-volume
+        emptyDir: {}
+      - name: run-volume
+        emptyDir: {}

charts/all/hello-world/templates/hello-world-deployment.yaml

@@ -17,9 +17,13 @@ spec:
         deploymentconfig: hello-world
       name: hello-world
     spec:
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - name: apache
-        image: registry.access.redhat.com/ubi8/httpd-24:1-226
+        image: registry.access.redhat.com/ubi10/httpd-24:10.0-1755779646
         #imagePullPolicy: Always
         ports:
         - containerPort: 8080
@@ -28,7 +32,27 @@ spec:
         volumeMounts:
         - mountPath: /var/www/html
           name: hello-world-configmap
-        resources: {}
+        - mountPath: /tmp
+          name: tmp-volume
+        - mountPath: /var/cache/httpd
+          name: cache-volume
+        - mountPath: /var/run/httpd
+          name: run-volume
+        resources:
+          requests:
+            cpu: 100m
+            memory: 128Mi
+          limits:
+            cpu: 500m
+            memory: 256Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
+          capabilities:
+            drop:
+            - ALL
         terminationMessagePath: /dev/termination-log
         terminationMessagePolicy: File
         livenessProbe:
@@ -56,3 +80,9 @@ spec:
         configMap:
           defaultMode: 438
           name: hello-world-configmap
+      - name: tmp-volume
+        emptyDir: {}
+      - name: cache-volume
+        emptyDir: {}
+      - name: run-volume
+        emptyDir: {}