From 4ea992afbc750dcd4ebfc469cd8e4850ad6c56fb Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Mon, 25 Aug 2025 13:00:01 +0200 Subject: [PATCH 1/6] Update super-linter to v8 --- .github/workflows/superlinter.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/superlinter.yml b/.github/workflows/superlinter.yml index 505b5cd8b..c19ece40e 100644 --- a/.github/workflows/superlinter.yml +++ b/.github/workflows/superlinter.yml @@ -21,7 +21,7 @@ jobs: # Run Linter against code base # ################################ - name: Lint Code Base - uses: super-linter/super-linter/slim@v7 + uses: super-linter/super-linter/slim@ffde3b2b33b745cb612d787f669ef9442b1339a6 # v8.1.0 env: VALIDATE_ALL_CODEBASE: true DEFAULT_BRANCH: main @@ -33,7 +33,6 @@ jobs: VALIDATE_JSCPD: false VALIDATE_JSON_PRETTIER: false VALIDATE_MARKDOWN_PRETTIER: false - VALIDATE_KUBERNETES_KUBECONFORM: false VALIDATE_PYTHON_PYLINT: false VALIDATE_SHELL_SHFMT: false VALIDATE_YAML: false From 475b95ce4a40a0591756379b65e94baa26234b3b Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Mon, 25 Aug 2025 13:06:07 +0200 Subject: [PATCH 2/6] Fix all github actions errors from new super-linter --- .github/workflows/ansible-lint.yml | 4 ++++ .github/workflows/jsonschema.yaml | 6 +++++- .github/workflows/superlinter.yml | 4 ++++ .github/workflows/sync-rhdp-branch.yml | 7 ++++++- .github/workflows/update-metadata.yml | 3 ++- 5 files changed, 21 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ansible-lint.yml b/.github/workflows/ansible-lint.yml index 5b61c1d86..913cb75f9 100644 --- a/.github/workflows/ansible-lint.yml +++ b/.github/workflows/ansible-lint.yml @@ -5,10 +5,14 @@ on: [push, pull_request] jobs: build: runs-on: ubuntu-latest + permissions: + contents: read steps: # Important: This sets up your GITHUB_WORKSPACE environment variable - uses: actions/checkout@v5 + with: + persist-credentials: false - name: Lint Ansible Playbook uses: ansible/ansible-lint@50373efb440dd3b524956c075af715cd00eaf20b diff --git a/.github/workflows/jsonschema.yaml b/.github/workflows/jsonschema.yaml index 9862fa887..2e3217790 100644 --- a/.github/workflows/jsonschema.yaml +++ b/.github/workflows/jsonschema.yaml @@ -10,10 +10,14 @@ jobs: matrix: python-version: [3.11] runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout Code uses: actions/checkout@v5 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v5 @@ -26,7 +30,7 @@ jobs: pip install check-jsonschema - name: Install yq - uses: chrisdickinson/setup-yq@latest + uses: chrisdickinson/setup-yq@69aa9efdf7a9240129b103a65373c05cbc375679 # v1.0.0 with: yq-version: v4.30.7 diff --git a/.github/workflows/superlinter.yml b/.github/workflows/superlinter.yml index c19ece40e..95096b04d 100644 --- a/.github/workflows/superlinter.yml +++ b/.github/workflows/superlinter.yml @@ -9,6 +9,9 @@ jobs: name: Super linter # Set the agent to run on runs-on: ubuntu-latest + permissions: + contents: read + statuses: write steps: - name: Checkout Code @@ -16,6 +19,7 @@ jobs: with: # Full git history is needed to get a proper list of changed files within `super-linter` fetch-depth: 0 + persist-credentials: false ################################ # Run Linter against code base # diff --git a/.github/workflows/sync-rhdp-branch.yml b/.github/workflows/sync-rhdp-branch.yml index 4489eba26..df19c932f 100644 --- a/.github/workflows/sync-rhdp-branch.yml +++ b/.github/workflows/sync-rhdp-branch.yml @@ -13,16 +13,21 @@ jobs: github.repository_owner == 'validatedpatterns' runs-on: ubuntu-latest name: Git Sync branch + permissions: + contents: write + pull-requests: write steps: - name: Checkout uses: actions/checkout@v5 + with: + persist-credentials: false - name: Set up Node uses: actions/setup-node@v4 with: node-version: 20 - name: Opening pull request id: pull - uses: mbaldessari/git-sync-branch@v0.2.0 + uses: mbaldessari/git-sync-branch@dd2adf0ca96e52c64716d83cabe85fac33201e12 # v0.2.0 with: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} FROM_BRANCH: "main" diff --git a/.github/workflows/update-metadata.yml b/.github/workflows/update-metadata.yml index 3a00a0349..a60d2a0f8 100644 --- a/.github/workflows/update-metadata.yml +++ b/.github/workflows/update-metadata.yml @@ -18,7 +18,8 @@ jobs: contents: read # Required for "read-all" packages: write # Allows writing to packages id-token: write # Allows creating OpenID Connect (OIDC) tokens - secrets: inherit + secrets: + DOCS_TOKEN: ${{ secrets.DOCS_TOKEN }} # For testing you can point to a different branch in the docs repository # with: # DOCS_BRANCH: "main" From fb33f998c1086d5fdfb90086a61fde6c5aa923ad Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Mon, 25 Aug 2025 13:25:50 +0200 Subject: [PATCH 3/6] Start fixing the gh action warnings --- .github/linters/trivy.yaml | 13 +++++++ .../templates/config-demo-deployment.yaml | 39 ++++++++++++++++++- .../templates/hello-world-deployment.yaml | 39 ++++++++++++++++++- 3 files changed, 89 insertions(+), 2 deletions(-) create mode 100644 .github/linters/trivy.yaml diff --git a/.github/linters/trivy.yaml b/.github/linters/trivy.yaml new file mode 100644 index 000000000..d46a2a05e --- /dev/null +++ b/.github/linters/trivy.yaml @@ -0,0 +1,13 @@ +scan: + scanners: + - vuln + - secret + - config + severities: + - MEDIUM + - CRITICAL + - HIGH +ignore: + # List of check IDs or vulnerability IDs to skip + # deployment in default namespace should set metadata.namespace to a non-default namespace. This is silly in argo + - AVD-KSV-0110 diff --git a/charts/all/config-demo/templates/config-demo-deployment.yaml b/charts/all/config-demo/templates/config-demo-deployment.yaml index 9deee7022..0b24be102 100644 --- a/charts/all/config-demo/templates/config-demo-deployment.yaml +++ b/charts/all/config-demo/templates/config-demo-deployment.yaml @@ -18,6 +18,12 @@ spec: deploymentconfig: config-demo name: config-demo spec: + securityContext: + runAsNonRoot: true + runAsUser: 10001 + runAsGroup: 10001 + seccompProfile: + type: RuntimeDefault containers: - name: apache image: registry.access.redhat.com/ubi8/httpd-24:1-226 @@ -32,7 +38,32 @@ spec: - mountPath: /var/www/html/secret readOnly: true name: config-demo-secret - resources: {} + - mountPath: /tmp + name: tmp-volume + - mountPath: /var/cache/httpd + name: cache-volume + - mountPath: /var/run/httpd + name: run-volume + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 500m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 10001 + runAsGroup: 10001 + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + seccompProfile: + type: RuntimeDefault terminationMessagePath: /dev/termination-log terminationMessagePolicy: File livenessProbe: @@ -63,3 +94,9 @@ spec: - name: config-demo-secret secret: secretName: config-demo-secret + - name: tmp-volume + emptyDir: {} + - name: cache-volume + emptyDir: {} + - name: run-volume + emptyDir: {} diff --git a/charts/all/hello-world/templates/hello-world-deployment.yaml b/charts/all/hello-world/templates/hello-world-deployment.yaml index 878ebf5f8..9372ce9f0 100644 --- a/charts/all/hello-world/templates/hello-world-deployment.yaml +++ b/charts/all/hello-world/templates/hello-world-deployment.yaml @@ -17,6 +17,12 @@ spec: deploymentconfig: hello-world name: hello-world spec: + securityContext: + runAsNonRoot: true + runAsUser: 10001 + runAsGroup: 10001 + seccompProfile: + type: RuntimeDefault containers: - name: apache image: registry.access.redhat.com/ubi8/httpd-24:1-226 @@ -28,7 +34,32 @@ spec: volumeMounts: - mountPath: /var/www/html name: hello-world-configmap - resources: {} + - mountPath: /tmp + name: tmp-volume + - mountPath: /var/cache/httpd + name: cache-volume + - mountPath: /var/run/httpd + name: run-volume + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 500m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 10001 + runAsGroup: 10001 + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + seccompProfile: + type: RuntimeDefault terminationMessagePath: /dev/termination-log terminationMessagePolicy: File livenessProbe: @@ -56,3 +87,9 @@ spec: configMap: defaultMode: 438 name: hello-world-configmap + - name: tmp-volume + emptyDir: {} + - name: cache-volume + emptyDir: {} + - name: run-volume + emptyDir: {} From 29b1a3a0b162e1645f825d51e654b5fc85969fcb Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Mon, 25 Aug 2025 13:28:40 +0200 Subject: [PATCH 4/6] Use later yq action --- .github/workflows/jsonschema.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/jsonschema.yaml b/.github/workflows/jsonschema.yaml index 2e3217790..e5e3c32a2 100644 --- a/.github/workflows/jsonschema.yaml +++ b/.github/workflows/jsonschema.yaml @@ -30,7 +30,7 @@ jobs: pip install check-jsonschema - name: Install yq - uses: chrisdickinson/setup-yq@69aa9efdf7a9240129b103a65373c05cbc375679 # v1.0.0 + uses: chrisdickinson/setup-yq@fa3192edd79d6eb0e4e12de8dde3a0c26f2b853b # 2025-08-25 with: yq-version: v4.30.7 From 4441d139e766d3ac00f356a4742ab9725488a3b2 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Mon, 25 Aug 2025 15:40:16 +0200 Subject: [PATCH 5/6] Ignore a couple of warnings --- .github/linters/trivy.yaml | 5 +---- .trivyignore | 7 +++++++ .../templates/config-demo-deployment.yaml | 10 ++-------- .../templates/hello-world-deployment.yaml | 13 +++---------- 4 files changed, 13 insertions(+), 22 deletions(-) create mode 100644 .trivyignore diff --git a/.github/linters/trivy.yaml b/.github/linters/trivy.yaml index d46a2a05e..9d0a932da 100644 --- a/.github/linters/trivy.yaml +++ b/.github/linters/trivy.yaml @@ -1,3 +1,4 @@ +# Ignores are in .trivyignore scan: scanners: - vuln @@ -7,7 +8,3 @@ scan: - MEDIUM - CRITICAL - HIGH -ignore: - # List of check IDs or vulnerability IDs to skip - # deployment in default namespace should set metadata.namespace to a non-default namespace. This is silly in argo - - AVD-KSV-0110 diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 000000000..8a9588c98 --- /dev/null +++ b/.trivyignore @@ -0,0 +1,7 @@ +AVD-KSV-0110 # Missing namespace is not needed with ArgoCD +AVD-KSV-0020 # Container 'apache' of Deployment 'hello-world' should set 'securityContext.runAsUser' > 10000. Not needed on OCP +AVD-KSV-0021 # Container 'apache' of Deployment 'hello-world' should set 'securityContext.runAsGroup' > 10000. Not needed on OCP +AVD-KSV-0014 # Readonly root filesystem does not work with httpd ubi images +AVD-KSV-0125 # Container apache in deployment hello-world (namespace: default) uses an image from an untrusted registry. registry.access.redhat.com is trusted + + diff --git a/charts/all/config-demo/templates/config-demo-deployment.yaml b/charts/all/config-demo/templates/config-demo-deployment.yaml index 0b24be102..64db6c4b7 100644 --- a/charts/all/config-demo/templates/config-demo-deployment.yaml +++ b/charts/all/config-demo/templates/config-demo-deployment.yaml @@ -20,13 +20,11 @@ spec: spec: securityContext: runAsNonRoot: true - runAsUser: 10001 - runAsGroup: 10001 seccompProfile: type: RuntimeDefault containers: - name: apache - image: registry.access.redhat.com/ubi8/httpd-24:1-226 + image: registry.access.redhat.com/ubi10/httpd-24:10.0-1755779646 #imagePullPolicy: Always ports: - containerPort: 8080 @@ -53,15 +51,11 @@ spec: memory: 256Mi securityContext: allowPrivilegeEscalation: false - readOnlyRootFilesystem: true + readOnlyRootFilesystem: false runAsNonRoot: true - runAsUser: 10001 - runAsGroup: 10001 capabilities: drop: - ALL - add: - - NET_BIND_SERVICE seccompProfile: type: RuntimeDefault terminationMessagePath: /dev/termination-log diff --git a/charts/all/hello-world/templates/hello-world-deployment.yaml b/charts/all/hello-world/templates/hello-world-deployment.yaml index 9372ce9f0..e065d4bf1 100644 --- a/charts/all/hello-world/templates/hello-world-deployment.yaml +++ b/charts/all/hello-world/templates/hello-world-deployment.yaml @@ -19,13 +19,11 @@ spec: spec: securityContext: runAsNonRoot: true - runAsUser: 10001 - runAsGroup: 10001 seccompProfile: type: RuntimeDefault containers: - name: apache - image: registry.access.redhat.com/ubi8/httpd-24:1-226 + image: registry.access.redhat.com/ubi10/httpd-24:10.0-1755779646 #imagePullPolicy: Always ports: - containerPort: 8080 @@ -49,17 +47,12 @@ spec: memory: 256Mi securityContext: allowPrivilegeEscalation: false - readOnlyRootFilesystem: true runAsNonRoot: true - runAsUser: 10001 - runAsGroup: 10001 + seccompProfile: + type: RuntimeDefault capabilities: drop: - ALL - add: - - NET_BIND_SERVICE - seccompProfile: - type: RuntimeDefault terminationMessagePath: /dev/termination-log terminationMessagePolicy: File livenessProbe: From bebfe37af8681e49a58d62e6d50e50b202a6e059 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Tue, 2 Sep 2025 10:28:03 +0200 Subject: [PATCH 6/6] Switch to release-2.14 for all versions except 4.15 acm-2.14 is available on OCP: 4.1{6789} For ocp-4.15 we use acm-2.13 --- overrides/{values-4.18-hub.yaml => values-4.15-hub.yaml} | 0 overrides/values-4.19-hub.yaml | 6 ------ values-hub.yaml | 2 +- 3 files changed, 1 insertion(+), 7 deletions(-) rename overrides/{values-4.18-hub.yaml => values-4.15-hub.yaml} (100%) delete mode 100644 overrides/values-4.19-hub.yaml diff --git a/overrides/values-4.18-hub.yaml b/overrides/values-4.15-hub.yaml similarity index 100% rename from overrides/values-4.18-hub.yaml rename to overrides/values-4.15-hub.yaml diff --git a/overrides/values-4.19-hub.yaml b/overrides/values-4.19-hub.yaml deleted file mode 100644 index e582c2535..000000000 --- a/overrides/values-4.19-hub.yaml +++ /dev/null @@ -1,6 +0,0 @@ -clusterGroup: - subscriptions: - acm: - name: advanced-cluster-management - namespace: open-cluster-management - channel: release-2.13 diff --git a/values-hub.yaml b/values-hub.yaml index f0abae474..3725d502f 100644 --- a/values-hub.yaml +++ b/values-hub.yaml @@ -11,7 +11,7 @@ clusterGroup: acm: name: advanced-cluster-management namespace: open-cluster-management - channel: release-2.11 + channel: release-2.14 # csv: advanced-cluster-management.v2.6.1 projects: - hub