mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-11-17 20:00:23 +00:00
ci: Harden GitHub Actions
Update GitHub actions to use full length commit ids for third-party actions to reduce security risk in case of vulnerabilities. Signed-off-by: StepSecurity Bot <bot@stepsecurity.io> Co-authored-by: Nikhil-Ladha <nikhilladha1999@gmail.com>
This commit is contained in:
parent
25d4186265
commit
56d08e1b4d
3
.github/workflows/auto-assign.yaml
vendored
3
.github/workflows/auto-assign.yaml
vendored
@ -11,7 +11,8 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: take the issue
|
- name: take the issue
|
||||||
uses: bdougie/take-action@main
|
# yamllint disable-line rule:line-length
|
||||||
|
uses: bdougie/take-action@1439165ac45a7461c2d89a59952cd7d941964b87 # main
|
||||||
with:
|
with:
|
||||||
message: >
|
message: >
|
||||||
Thanks for taking this issue!
|
Thanks for taking this issue!
|
||||||
|
3
.github/workflows/build-multi-stage.yaml
vendored
3
.github/workflows/build-multi-stage.yaml
vendored
@ -13,7 +13,8 @@ jobs:
|
|||||||
name: multi-arch-build
|
name: multi-arch-build
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
# yamllint disable-line rule:line-length
|
||||||
|
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||||
- name: multi-arch-build
|
- name: multi-arch-build
|
||||||
# yamllint disable-line rule:line-length
|
# yamllint disable-line rule:line-length
|
||||||
if: ${{ ! contains(github.event.pull_request.labels.*.name, 'ci/skip/multi-arch-build') }}
|
if: ${{ ! contains(github.event.pull_request.labels.*.name, 'ci/skip/multi-arch-build') }}
|
||||||
|
3
.github/workflows/codespell.yaml
vendored
3
.github/workflows/codespell.yaml
vendored
@ -15,6 +15,7 @@ jobs:
|
|||||||
name: codespell
|
name: codespell
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
# yamllint disable-line rule:line-length
|
||||||
|
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||||
- name: codespell
|
- name: codespell
|
||||||
run: make containerized-test TARGET=codespell
|
run: make containerized-test TARGET=codespell
|
||||||
|
3
.github/workflows/commitlint.yaml
vendored
3
.github/workflows/commitlint.yaml
vendored
@ -14,7 +14,8 @@ jobs:
|
|||||||
if: ${{ github.event.pull_request.user.login != 'dependabot[bot]' }}
|
if: ${{ github.event.pull_request.user.login != 'dependabot[bot]' }}
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
# yamllint disable-line rule:line-length
|
||||||
|
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||||
with:
|
with:
|
||||||
ref: ${{ github.event.pull_request.head.sha }}
|
ref: ${{ github.event.pull_request.head.sha }}
|
||||||
- name: commitlint
|
- name: commitlint
|
||||||
|
6
.github/workflows/dependency-review.yaml
vendored
6
.github/workflows/dependency-review.yaml
vendored
@ -15,8 +15,10 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: 'Checkout Repository'
|
- name: 'Checkout Repository'
|
||||||
uses: actions/checkout@v4
|
# yamllint disable-line rule:line-length
|
||||||
|
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||||
- name: 'Dependency Review'
|
- name: 'Dependency Review'
|
||||||
uses: actions/dependency-review-action@v4
|
# yamllint disable-line rule:line-length
|
||||||
|
uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4
|
||||||
with:
|
with:
|
||||||
allow-ghsas: GHSA-f4w6-3rh6-6q4q
|
allow-ghsas: GHSA-f4w6-3rh6-6q4q
|
||||||
|
12
.github/workflows/go-test.yaml
vendored
12
.github/workflows/go-test.yaml
vendored
@ -14,7 +14,8 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout the repo
|
- name: Checkout the repo
|
||||||
uses: actions/checkout@v4
|
# yamllint disable-line rule:line-length
|
||||||
|
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||||
|
|
||||||
- name: Check generated deploy code
|
- name: Check generated deploy code
|
||||||
run: make generate-deploy
|
run: make generate-deploy
|
||||||
@ -29,20 +30,23 @@ jobs:
|
|||||||
name: e2e-build-test
|
name: e2e-build-test
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
# yamllint disable-line rule:line-length
|
||||||
|
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||||
- name: e2e-build-test
|
- name: e2e-build-test
|
||||||
run: make containerized-build TARGET=e2e.test
|
run: make containerized-build TARGET=e2e.test
|
||||||
go-test:
|
go-test:
|
||||||
name: go-test
|
name: go-test
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
# yamllint disable-line rule:line-length
|
||||||
|
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||||
- name: go-test
|
- name: go-test
|
||||||
run: make containerized-test TARGET=go-test
|
run: make containerized-test TARGET=go-test
|
||||||
go-test-api:
|
go-test-api:
|
||||||
name: go-test-api
|
name: go-test-api
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
# yamllint disable-line rule:line-length
|
||||||
|
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||||
- name: go-test-api
|
- name: go-test-api
|
||||||
run: make containerized-test TARGET=go-test-api
|
run: make containerized-test TARGET=go-test-api
|
||||||
|
3
.github/workflows/golangci-lint.yaml
vendored
3
.github/workflows/golangci-lint.yaml
vendored
@ -13,6 +13,7 @@ jobs:
|
|||||||
name: golangci-lint
|
name: golangci-lint
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
# yamllint disable-line rule:line-length
|
||||||
|
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||||
- name: golangci-lint
|
- name: golangci-lint
|
||||||
run: make containerized-test TARGET=go-lint
|
run: make containerized-test TARGET=go-lint
|
||||||
|
3
.github/workflows/lint-extras.yaml
vendored
3
.github/workflows/lint-extras.yaml
vendored
@ -13,6 +13,7 @@ jobs:
|
|||||||
name: lint-extras
|
name: lint-extras
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
# yamllint disable-line rule:line-length
|
||||||
|
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||||
- name: lint-extras
|
- name: lint-extras
|
||||||
run: make containerized-test TARGET=lint-extras
|
run: make containerized-test TARGET=lint-extras
|
||||||
|
2
.github/workflows/mergify-copy-labels.yaml
vendored
2
.github/workflows/mergify-copy-labels.yaml
vendored
@ -12,7 +12,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: Copying labels
|
- name: Copying labels
|
||||||
uses: Mergifyio/gha-mergify-merge-queue-labels-copier@main
|
uses: Mergifyio/gha-mergify-merge-queue-labels-copier@1d2b277f94d52987008ec05b571fb68f2357e63f # main
|
||||||
with:
|
with:
|
||||||
additional-labels: 'ok-to-test'
|
additional-labels: 'ok-to-test'
|
||||||
token: ${{ secrets.CEPH_CSI_BOT_TOKEN }}
|
token: ${{ secrets.CEPH_CSI_BOT_TOKEN }}
|
||||||
|
3
.github/workflows/mod-check.yaml
vendored
3
.github/workflows/mod-check.yaml
vendored
@ -13,6 +13,7 @@ jobs:
|
|||||||
name: mod-check
|
name: mod-check
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
# yamllint disable-line rule:line-length
|
||||||
|
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||||
- name: mod-check
|
- name: mod-check
|
||||||
run: make containerized-test TARGET=mod-check
|
run: make containerized-test TARGET=mod-check
|
||||||
|
6
.github/workflows/publish-artifacts.yaml
vendored
6
.github/workflows/publish-artifacts.yaml
vendored
@ -18,10 +18,12 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
if: github.repository == 'ceph/ceph-csi'
|
if: github.repository == 'ceph/ceph-csi'
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
# yamllint disable-line rule:line-length
|
||||||
|
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||||
|
|
||||||
- name: Login to Quay
|
- name: Login to Quay
|
||||||
uses: docker/login-action@v3
|
# yamllint disable-line rule:line-length
|
||||||
|
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
|
||||||
with:
|
with:
|
||||||
registry: quay.io
|
registry: quay.io
|
||||||
username: ${{ secrets.QUAY_IO_USERNAME }}
|
username: ${{ secrets.QUAY_IO_USERNAME }}
|
||||||
|
18
.github/workflows/pull-request-commentor.yaml
vendored
18
.github/workflows/pull-request-commentor.yaml
vendored
@ -51,7 +51,8 @@ jobs:
|
|||||||
Add comment to trigger external storage tests for Kubernetes
|
Add comment to trigger external storage tests for Kubernetes
|
||||||
${{ matrix.k8s }}
|
${{ matrix.k8s }}
|
||||||
if: ${{ github.base_ref == matrix.branch }}
|
if: ${{ github.base_ref == matrix.branch }}
|
||||||
uses: peter-evans/create-or-update-comment@v4
|
# yamllint disable-line rule:line-length
|
||||||
|
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
|
||||||
with:
|
with:
|
||||||
token: ${{ secrets.CEPH_CSI_BOT_TOKEN }}
|
token: ${{ secrets.CEPH_CSI_BOT_TOKEN }}
|
||||||
issue-number: ${{ github.event.pull_request.number }}
|
issue-number: ${{ github.event.pull_request.number }}
|
||||||
@ -62,7 +63,8 @@ jobs:
|
|||||||
Add comment to trigger helm E2E tests for Kubernetes
|
Add comment to trigger helm E2E tests for Kubernetes
|
||||||
${{ matrix.k8s }}
|
${{ matrix.k8s }}
|
||||||
if: ${{ github.base_ref == matrix.branch }}
|
if: ${{ github.base_ref == matrix.branch }}
|
||||||
uses: peter-evans/create-or-update-comment@v4
|
# yamllint disable-line rule:line-length
|
||||||
|
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
|
||||||
with:
|
with:
|
||||||
token: ${{ secrets.CEPH_CSI_BOT_TOKEN }}
|
token: ${{ secrets.CEPH_CSI_BOT_TOKEN }}
|
||||||
issue-number: ${{ github.event.pull_request.number }}
|
issue-number: ${{ github.event.pull_request.number }}
|
||||||
@ -70,7 +72,8 @@ jobs:
|
|||||||
/test ci/centos/mini-e2e-helm/k8s-${{ matrix.k8s }}
|
/test ci/centos/mini-e2e-helm/k8s-${{ matrix.k8s }}
|
||||||
|
|
||||||
- name: Add comment to trigger E2E tests for Kubernetes ${{ matrix.k8s }}
|
- name: Add comment to trigger E2E tests for Kubernetes ${{ matrix.k8s }}
|
||||||
uses: peter-evans/create-or-update-comment@v4
|
# yamllint disable-line rule:line-length
|
||||||
|
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
|
||||||
if: ${{ github.base_ref == matrix.branch }}
|
if: ${{ github.base_ref == matrix.branch }}
|
||||||
with:
|
with:
|
||||||
token: ${{ secrets.CEPH_CSI_BOT_TOKEN }}
|
token: ${{ secrets.CEPH_CSI_BOT_TOKEN }}
|
||||||
@ -87,7 +90,8 @@ jobs:
|
|||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Add comment to trigger cephfs upgrade tests
|
- name: Add comment to trigger cephfs upgrade tests
|
||||||
uses: peter-evans/create-or-update-comment@v4
|
# yamllint disable-line rule:line-length
|
||||||
|
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
|
||||||
with:
|
with:
|
||||||
token: ${{ secrets.CEPH_CSI_BOT_TOKEN }}
|
token: ${{ secrets.CEPH_CSI_BOT_TOKEN }}
|
||||||
issue-number: ${{ github.event.pull_request.number }}
|
issue-number: ${{ github.event.pull_request.number }}
|
||||||
@ -95,7 +99,8 @@ jobs:
|
|||||||
/test ci/centos/upgrade-tests-cephfs
|
/test ci/centos/upgrade-tests-cephfs
|
||||||
|
|
||||||
- name: Add comment to trigger rbd upgrade tests
|
- name: Add comment to trigger rbd upgrade tests
|
||||||
uses: peter-evans/create-or-update-comment@v4
|
# yamllint disable-line rule:line-length
|
||||||
|
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
|
||||||
with:
|
with:
|
||||||
token: ${{ secrets.CEPH_CSI_BOT_TOKEN }}
|
token: ${{ secrets.CEPH_CSI_BOT_TOKEN }}
|
||||||
issue-number: ${{ github.event.pull_request.number }}
|
issue-number: ${{ github.event.pull_request.number }}
|
||||||
@ -116,7 +121,8 @@ jobs:
|
|||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: remove ok-to-test-label after commenting
|
- name: remove ok-to-test-label after commenting
|
||||||
uses: actions/github-script@v7
|
# yamllint disable-line rule:line-length
|
||||||
|
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
|
||||||
with:
|
with:
|
||||||
github-token: ${{ secrets.CEPH_CSI_BOT_TOKEN }}
|
github-token: ${{ secrets.CEPH_CSI_BOT_TOKEN }}
|
||||||
script: |
|
script: |
|
||||||
|
3
.github/workflows/retest.yaml
vendored
3
.github/workflows/retest.yaml
vendored
@ -15,7 +15,8 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
# path to the retest action
|
# path to the retest action
|
||||||
- uses: ceph/ceph-csi/actions/retest@devel
|
# yamllint disable-line rule:line-length
|
||||||
|
- uses: ceph/ceph-csi/actions/retest@28dc64dcae3cec8d11d84bdf525bda0ef757c688 # devel
|
||||||
with:
|
with:
|
||||||
GITHUB_TOKEN: ${{ secrets.CEPH_CSI_BOT_TOKEN }}
|
GITHUB_TOKEN: ${{ secrets.CEPH_CSI_BOT_TOKEN }}
|
||||||
required-label: "ci/retry/e2e"
|
required-label: "ci/retry/e2e"
|
||||||
|
9
.github/workflows/snyk-container-image.yaml
vendored
9
.github/workflows/snyk-container-image.yaml
vendored
@ -26,18 +26,21 @@ jobs:
|
|||||||
if: github.repository == 'ceph/ceph-csi'
|
if: github.repository == 'ceph/ceph-csi'
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
# yamllint disable-line rule:line-length
|
||||||
|
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||||
- name: Build a Docker image
|
- name: Build a Docker image
|
||||||
run: make image-cephcsi
|
run: make image-cephcsi
|
||||||
- name: Run Snyk to check Docker image for vulnerabilities
|
- name: Run Snyk to check Docker image for vulnerabilities
|
||||||
continue-on-error: true
|
continue-on-error: true
|
||||||
uses: snyk/actions/docker@master
|
# yamllint disable-line rule:line-length
|
||||||
|
uses: snyk/actions/docker@cdb760004ba9ea4d525f2e043745dfe85bb9077e # master
|
||||||
env:
|
env:
|
||||||
SNYK_TOKEN: ${{ secrets.SYNK_TOKEN }}
|
SNYK_TOKEN: ${{ secrets.SYNK_TOKEN }}
|
||||||
with:
|
with:
|
||||||
image: quay.io/cephcsi/cephcsi:${{ github.base_ref }}
|
image: quay.io/cephcsi/cephcsi:${{ github.base_ref }}
|
||||||
args: --file=Dockerfilei
|
args: --file=Dockerfilei
|
||||||
- name: Upload result to GitHub Code Scanning
|
- name: Upload result to GitHub Code Scanning
|
||||||
uses: github/codeql-action/upload-sarif@v3
|
# yamllint disable-line rule:line-length
|
||||||
|
uses: github/codeql-action/upload-sarif@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7
|
||||||
with:
|
with:
|
||||||
sarif_file: snyk.sarif
|
sarif_file: snyk.sarif
|
||||||
|
6
.github/workflows/snyk.yaml
vendored
6
.github/workflows/snyk.yaml
vendored
@ -20,11 +20,13 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: checkout
|
- name: checkout
|
||||||
uses: actions/checkout@v4
|
# yamllint disable-line rule:line-length
|
||||||
|
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||||
with:
|
with:
|
||||||
fetch-depth: 0
|
fetch-depth: 0
|
||||||
|
|
||||||
- name: run Snyk to check for code vulnerabilities
|
- name: run Snyk to check for code vulnerabilities
|
||||||
uses: snyk/actions/golang@master
|
# yamllint disable-line rule:line-length
|
||||||
|
uses: snyk/actions/golang@cdb760004ba9ea4d525f2e043745dfe85bb9077e # master
|
||||||
env:
|
env:
|
||||||
SNYK_TOKEN: ${{ secrets.SYNK_TOKEN }}
|
SNYK_TOKEN: ${{ secrets.SYNK_TOKEN }}
|
||||||
|
3
.github/workflows/stale.yaml
vendored
3
.github/workflows/stale.yaml
vendored
@ -18,7 +18,8 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
if: github.repository == 'ceph/ceph-csi'
|
if: github.repository == 'ceph/ceph-csi'
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/stale@v9
|
# yamllint disable-line rule:line-length
|
||||||
|
- uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0
|
||||||
with:
|
with:
|
||||||
repo-token: ${{ secrets.GITHUB_TOKEN }}
|
repo-token: ${{ secrets.GITHUB_TOKEN }}
|
||||||
days-before-issue-stale: 30
|
days-before-issue-stale: 30
|
||||||
|
3
.github/workflows/test-retest-action.yaml
vendored
3
.github/workflows/test-retest-action.yaml
vendored
@ -15,7 +15,8 @@ jobs:
|
|||||||
build:
|
build:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
# yamllint disable-line rule:line-length
|
||||||
|
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||||
|
|
||||||
- name: Docker build
|
- name: Docker build
|
||||||
# Run cd to avoid loading complete cephcsi directory in docker context
|
# Run cd to avoid loading complete cephcsi directory in docker context
|
||||||
|
3
.github/workflows/tickgit.yaml
vendored
3
.github/workflows/tickgit.yaml
vendored
@ -14,5 +14,6 @@ jobs:
|
|||||||
name: tickgit
|
name: tickgit
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
# yamllint disable-line rule:line-length
|
||||||
|
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||||
- run: make containerized-test TARGET=tickgit
|
- run: make containerized-test TARGET=tickgit
|
||||||
|
Loading…
Reference in New Issue
Block a user