ci: Harden GitHub Actions

Update GitHub actions to use full length commit ids for
third-party actions to reduce security risk in case of vulnerabilities.

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
Co-authored-by: Nikhil-Ladha <nikhilladha1999@gmail.com>
This commit is contained in:
StepSecurity Bot 2024-09-18 09:19:02 +00:00 committed by mergify[bot]
parent 25d4186265
commit 56d08e1b4d
18 changed files with 61 additions and 31 deletions

View File

@ -11,7 +11,8 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: take the issue - name: take the issue
uses: bdougie/take-action@main # yamllint disable-line rule:line-length
uses: bdougie/take-action@1439165ac45a7461c2d89a59952cd7d941964b87 # main
with: with:
message: > message: >
Thanks for taking this issue! Thanks for taking this issue!

View File

@ -13,7 +13,8 @@ jobs:
name: multi-arch-build name: multi-arch-build
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v4 # yamllint disable-line rule:line-length
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: multi-arch-build - name: multi-arch-build
# yamllint disable-line rule:line-length # yamllint disable-line rule:line-length
if: ${{ ! contains(github.event.pull_request.labels.*.name, 'ci/skip/multi-arch-build') }} if: ${{ ! contains(github.event.pull_request.labels.*.name, 'ci/skip/multi-arch-build') }}

View File

@ -15,6 +15,7 @@ jobs:
name: codespell name: codespell
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v4 # yamllint disable-line rule:line-length
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: codespell - name: codespell
run: make containerized-test TARGET=codespell run: make containerized-test TARGET=codespell

View File

@ -14,7 +14,8 @@ jobs:
if: ${{ github.event.pull_request.user.login != 'dependabot[bot]' }} if: ${{ github.event.pull_request.user.login != 'dependabot[bot]' }}
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v4 # yamllint disable-line rule:line-length
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with: with:
ref: ${{ github.event.pull_request.head.sha }} ref: ${{ github.event.pull_request.head.sha }}
- name: commitlint - name: commitlint

View File

@ -15,8 +15,10 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: 'Checkout Repository' - name: 'Checkout Repository'
uses: actions/checkout@v4 # yamllint disable-line rule:line-length
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: 'Dependency Review' - name: 'Dependency Review'
uses: actions/dependency-review-action@v4 # yamllint disable-line rule:line-length
uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4
with: with:
allow-ghsas: GHSA-f4w6-3rh6-6q4q allow-ghsas: GHSA-f4w6-3rh6-6q4q

View File

@ -14,7 +14,8 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout the repo - name: Checkout the repo
uses: actions/checkout@v4 # yamllint disable-line rule:line-length
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Check generated deploy code - name: Check generated deploy code
run: make generate-deploy run: make generate-deploy
@ -29,20 +30,23 @@ jobs:
name: e2e-build-test name: e2e-build-test
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v4 # yamllint disable-line rule:line-length
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: e2e-build-test - name: e2e-build-test
run: make containerized-build TARGET=e2e.test run: make containerized-build TARGET=e2e.test
go-test: go-test:
name: go-test name: go-test
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v4 # yamllint disable-line rule:line-length
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: go-test - name: go-test
run: make containerized-test TARGET=go-test run: make containerized-test TARGET=go-test
go-test-api: go-test-api:
name: go-test-api name: go-test-api
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v4 # yamllint disable-line rule:line-length
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: go-test-api - name: go-test-api
run: make containerized-test TARGET=go-test-api run: make containerized-test TARGET=go-test-api

View File

@ -13,6 +13,7 @@ jobs:
name: golangci-lint name: golangci-lint
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v4 # yamllint disable-line rule:line-length
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: golangci-lint - name: golangci-lint
run: make containerized-test TARGET=go-lint run: make containerized-test TARGET=go-lint

View File

@ -13,6 +13,7 @@ jobs:
name: lint-extras name: lint-extras
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v4 # yamllint disable-line rule:line-length
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: lint-extras - name: lint-extras
run: make containerized-test TARGET=lint-extras run: make containerized-test TARGET=lint-extras

View File

@ -12,7 +12,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Copying labels - name: Copying labels
uses: Mergifyio/gha-mergify-merge-queue-labels-copier@main uses: Mergifyio/gha-mergify-merge-queue-labels-copier@1d2b277f94d52987008ec05b571fb68f2357e63f # main
with: with:
additional-labels: 'ok-to-test' additional-labels: 'ok-to-test'
token: ${{ secrets.CEPH_CSI_BOT_TOKEN }} token: ${{ secrets.CEPH_CSI_BOT_TOKEN }}

View File

@ -13,6 +13,7 @@ jobs:
name: mod-check name: mod-check
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v4 # yamllint disable-line rule:line-length
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: mod-check - name: mod-check
run: make containerized-test TARGET=mod-check run: make containerized-test TARGET=mod-check

View File

@ -18,10 +18,12 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: github.repository == 'ceph/ceph-csi' if: github.repository == 'ceph/ceph-csi'
steps: steps:
- uses: actions/checkout@v4 # yamllint disable-line rule:line-length
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Login to Quay - name: Login to Quay
uses: docker/login-action@v3 # yamllint disable-line rule:line-length
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with: with:
registry: quay.io registry: quay.io
username: ${{ secrets.QUAY_IO_USERNAME }} username: ${{ secrets.QUAY_IO_USERNAME }}

View File

@ -51,7 +51,8 @@ jobs:
Add comment to trigger external storage tests for Kubernetes Add comment to trigger external storage tests for Kubernetes
${{ matrix.k8s }} ${{ matrix.k8s }}
if: ${{ github.base_ref == matrix.branch }} if: ${{ github.base_ref == matrix.branch }}
uses: peter-evans/create-or-update-comment@v4 # yamllint disable-line rule:line-length
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
with: with:
token: ${{ secrets.CEPH_CSI_BOT_TOKEN }} token: ${{ secrets.CEPH_CSI_BOT_TOKEN }}
issue-number: ${{ github.event.pull_request.number }} issue-number: ${{ github.event.pull_request.number }}
@ -62,7 +63,8 @@ jobs:
Add comment to trigger helm E2E tests for Kubernetes Add comment to trigger helm E2E tests for Kubernetes
${{ matrix.k8s }} ${{ matrix.k8s }}
if: ${{ github.base_ref == matrix.branch }} if: ${{ github.base_ref == matrix.branch }}
uses: peter-evans/create-or-update-comment@v4 # yamllint disable-line rule:line-length
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
with: with:
token: ${{ secrets.CEPH_CSI_BOT_TOKEN }} token: ${{ secrets.CEPH_CSI_BOT_TOKEN }}
issue-number: ${{ github.event.pull_request.number }} issue-number: ${{ github.event.pull_request.number }}
@ -70,7 +72,8 @@ jobs:
/test ci/centos/mini-e2e-helm/k8s-${{ matrix.k8s }} /test ci/centos/mini-e2e-helm/k8s-${{ matrix.k8s }}
- name: Add comment to trigger E2E tests for Kubernetes ${{ matrix.k8s }} - name: Add comment to trigger E2E tests for Kubernetes ${{ matrix.k8s }}
uses: peter-evans/create-or-update-comment@v4 # yamllint disable-line rule:line-length
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
if: ${{ github.base_ref == matrix.branch }} if: ${{ github.base_ref == matrix.branch }}
with: with:
token: ${{ secrets.CEPH_CSI_BOT_TOKEN }} token: ${{ secrets.CEPH_CSI_BOT_TOKEN }}
@ -87,7 +90,8 @@ jobs:
steps: steps:
- name: Add comment to trigger cephfs upgrade tests - name: Add comment to trigger cephfs upgrade tests
uses: peter-evans/create-or-update-comment@v4 # yamllint disable-line rule:line-length
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
with: with:
token: ${{ secrets.CEPH_CSI_BOT_TOKEN }} token: ${{ secrets.CEPH_CSI_BOT_TOKEN }}
issue-number: ${{ github.event.pull_request.number }} issue-number: ${{ github.event.pull_request.number }}
@ -95,7 +99,8 @@ jobs:
/test ci/centos/upgrade-tests-cephfs /test ci/centos/upgrade-tests-cephfs
- name: Add comment to trigger rbd upgrade tests - name: Add comment to trigger rbd upgrade tests
uses: peter-evans/create-or-update-comment@v4 # yamllint disable-line rule:line-length
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
with: with:
token: ${{ secrets.CEPH_CSI_BOT_TOKEN }} token: ${{ secrets.CEPH_CSI_BOT_TOKEN }}
issue-number: ${{ github.event.pull_request.number }} issue-number: ${{ github.event.pull_request.number }}
@ -116,7 +121,8 @@ jobs:
steps: steps:
- name: remove ok-to-test-label after commenting - name: remove ok-to-test-label after commenting
uses: actions/github-script@v7 # yamllint disable-line rule:line-length
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with: with:
github-token: ${{ secrets.CEPH_CSI_BOT_TOKEN }} github-token: ${{ secrets.CEPH_CSI_BOT_TOKEN }}
script: | script: |

View File

@ -15,7 +15,8 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
# path to the retest action # path to the retest action
- uses: ceph/ceph-csi/actions/retest@devel # yamllint disable-line rule:line-length
- uses: ceph/ceph-csi/actions/retest@28dc64dcae3cec8d11d84bdf525bda0ef757c688 # devel
with: with:
GITHUB_TOKEN: ${{ secrets.CEPH_CSI_BOT_TOKEN }} GITHUB_TOKEN: ${{ secrets.CEPH_CSI_BOT_TOKEN }}
required-label: "ci/retry/e2e" required-label: "ci/retry/e2e"

View File

@ -26,18 +26,21 @@ jobs:
if: github.repository == 'ceph/ceph-csi' if: github.repository == 'ceph/ceph-csi'
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v4 # yamllint disable-line rule:line-length
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Build a Docker image - name: Build a Docker image
run: make image-cephcsi run: make image-cephcsi
- name: Run Snyk to check Docker image for vulnerabilities - name: Run Snyk to check Docker image for vulnerabilities
continue-on-error: true continue-on-error: true
uses: snyk/actions/docker@master # yamllint disable-line rule:line-length
uses: snyk/actions/docker@cdb760004ba9ea4d525f2e043745dfe85bb9077e # master
env: env:
SNYK_TOKEN: ${{ secrets.SYNK_TOKEN }} SNYK_TOKEN: ${{ secrets.SYNK_TOKEN }}
with: with:
image: quay.io/cephcsi/cephcsi:${{ github.base_ref }} image: quay.io/cephcsi/cephcsi:${{ github.base_ref }}
args: --file=Dockerfilei args: --file=Dockerfilei
- name: Upload result to GitHub Code Scanning - name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v3 # yamllint disable-line rule:line-length
uses: github/codeql-action/upload-sarif@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7
with: with:
sarif_file: snyk.sarif sarif_file: snyk.sarif

View File

@ -20,11 +20,13 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: checkout - name: checkout
uses: actions/checkout@v4 # yamllint disable-line rule:line-length
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with: with:
fetch-depth: 0 fetch-depth: 0
- name: run Snyk to check for code vulnerabilities - name: run Snyk to check for code vulnerabilities
uses: snyk/actions/golang@master # yamllint disable-line rule:line-length
uses: snyk/actions/golang@cdb760004ba9ea4d525f2e043745dfe85bb9077e # master
env: env:
SNYK_TOKEN: ${{ secrets.SYNK_TOKEN }} SNYK_TOKEN: ${{ secrets.SYNK_TOKEN }}

View File

@ -18,7 +18,8 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: github.repository == 'ceph/ceph-csi' if: github.repository == 'ceph/ceph-csi'
steps: steps:
- uses: actions/stale@v9 # yamllint disable-line rule:line-length
- uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0
with: with:
repo-token: ${{ secrets.GITHUB_TOKEN }} repo-token: ${{ secrets.GITHUB_TOKEN }}
days-before-issue-stale: 30 days-before-issue-stale: 30

View File

@ -15,7 +15,8 @@ jobs:
build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v4 # yamllint disable-line rule:line-length
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Docker build - name: Docker build
# Run cd to avoid loading complete cephcsi directory in docker context # Run cd to avoid loading complete cephcsi directory in docker context

View File

@ -14,5 +14,6 @@ jobs:
name: tickgit name: tickgit
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v4 # yamllint disable-line rule:line-length
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- run: make containerized-test TARGET=tickgit - run: make containerized-test TARGET=tickgit