Skip to content

Commit

Permalink
Merge pull request #2107 from step-security-bot/stepsecurity_remediat…
Browse files Browse the repository at this point in the history 
…ion_1719585231

[StepSecurity] ci: Harden GitHub Actions, pin dependencies in workflows
  • Loading branch information
@joaquimrocha
joaquimrocha authored Jul 1, 2024
2 parents 8c8e4f4 + 6b84880 commit df4efdd
Show file tree
Hide file tree
Showing 18 changed files with 84 additions and 84 deletions.
12 changes: 6 additions & 6 deletions .github/workflows/app-artifacts-linux.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,14 +18,14 @@ jobs:
actions: write # needed to upload artifacts
contents: write
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
ref: ${{ github.event.inputs.buildBranch }}
- name: Setup nodejs
uses: actions/setup-node@v4
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: 20.x
- uses: actions/setup-go@v5
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
go-version: '1.22.*'
- name: App linux
Expand All @@ -35,21 +35,21 @@ jobs:
run: |
FILE_PATH=$(echo app/dist/Headlamp*x86_64*.AppImage); mv ${FILE_PATH} $(echo ${FILE_PATH}|sed s/x86_64/x64/)
- name: Upload Tarball artifacts
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: Tarballs
path: ./app/dist/Headlamp*.tar.*
if-no-files-found: error
retention-days: 1
- name: Upload AppImage artifacts
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: AppImages
path: ./app/dist/Headlamp*.AppImage
if-no-files-found: error
retention-days: 1
- name: Upload Debian artifacts
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: Debian
path: ./app/dist/headlamp*.deb
Expand Down
22 changes: 11 additions & 11 deletions .github/workflows/app-artifacts-mac.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,18 +22,18 @@ jobs:
contents: read
actions: write # needed to upload artifacts
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
ref: ${{ github.event.inputs.buildBranch }}
- name: Setup nodejs
uses: actions/setup-node@v4
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: 20.x
cache: 'npm'
cache-dependency-path: |
app/package-lock.json
frontend/package-lock.json
- uses: actions/setup-go@v5
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
go-version: '1.22.*'
cache-dependency-path: |
Expand All @@ -60,7 +60,7 @@ jobs:
run: |
xcrun stapler staple ./app/dist/Headlamp*.dmg
- name: Upload artifact
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: dmgs
path: ./app/dist/Headlamp*.dmg
Expand All @@ -74,25 +74,25 @@ jobs:
needs: build-mac
if: ${{ inputs.signBinaries }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
ref: ${{ github.event.inputs.buildBranch }}
- name: Setup nodejs
uses: actions/setup-node@v4
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: 18.x
cache: 'npm'
cache-dependency-path: |
app/package-lock.json
frontend/package-lock.json
- name: Download artifact
uses: actions/download-artifact@v4
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: dmgs
path: ./dmgs
- name: Azure login
if: ${{ inputs.signBinaries }}
uses: azure/login@v2
uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1
with:
client-id: ${{ secrets.WINDOWS_CLIENT_ID }}
tenant-id: ${{ secrets. AZ_TENANT_ID }}
Expand Down Expand Up @@ -132,7 +132,7 @@ jobs:
cd ./app/scripts
node ./esrp.js apple-notarize ../../dmgs/
- name: Upload Notarized
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: dmgs
path: ./dmgs/Headlamp*.dmg
Expand All @@ -148,15 +148,15 @@ jobs:
if: ${{ inputs.signBinaries }}
steps:
- name: Download artifact
uses: actions/download-artifact@v4
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: dmgs
path: ./dmgs
- name: Staple
run: |
xcrun stapler staple ./dmgs/Headlamp*.dmg
- name: Upload Stapled
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: dmgs
path: ./dmgs/Headlamp*.dmg
Expand Down
14 changes: 7 additions & 7 deletions .github/workflows/app-artifacts-win.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,34 +23,34 @@ jobs:
actions: write # needed to upload artifacts
runs-on: windows-2022
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
path: build-helper
- uses: actions/checkout@v4
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
repository: headlamp-k8s/headlamp
ref: ${{ github.event.inputs.buildBranch }}
path: headlamp
- name: Setup nodejs
uses: actions/setup-node@v4
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: 20.x
cache: 'npm'
cache-dependency-path: |
headlamp/app/package-lock.json
headlamp/frontend/package-lock.json
- uses: actions/setup-go@v5
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
go-version: '1.22.*'
cache-dependency-path: |
headlamp/backend/go.sum
- name: Dependencies
uses: crazy-max/ghaction-chocolatey@v1
uses: crazy-max/ghaction-chocolatey@e80bd39bb49cae70b67ea53d52d00833a7255c21 # v1.7.0
with:
args: install make
- name: Azure login
if: ${{ inputs.signBinaries }}
uses: azure/login@v2
uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1
with:
client-id: ${{ secrets.WINDOWS_CLIENT_ID }}
tenant-id: ${{ secrets.AZ_TENANT_ID }}
Expand Down Expand Up @@ -89,7 +89,7 @@ jobs:
make app-win
- name: Upload artifact
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: Win exes
path: ./headlamp/app/dist/Headlamp*.*
Expand Down
20 changes: 10 additions & 10 deletions .github/workflows/app.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,12 +30,12 @@ jobs:
matrix:
node-version: [20.x]
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v4
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: ${{ matrix.node-version }}
- uses: actions/setup-go@v5
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
go-version: '1.22.*'
- name: App linux
Expand All @@ -47,16 +47,16 @@ jobs:
matrix:
node-version: [20.x]
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v4
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: ${{ matrix.node-version }}
- uses: actions/setup-go@v5
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
go-version: '1.22.*'
- name: Dependencies
uses: crazy-max/ghaction-chocolatey@v1
uses: crazy-max/ghaction-chocolatey@e80bd39bb49cae70b67ea53d52d00833a7255c21 # v1.7.0
with:
args: install make
- name: App Windows
Expand All @@ -67,12 +67,12 @@ jobs:
matrix:
node-version: [20.x]
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v4
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: ${{ matrix.node-version }}
- uses: actions/setup-go@v5
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
go-version: '1.22.*'
- name: Dependencies
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/backend-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,11 +22,11 @@ jobs:
permissions:
issues: write # needed for commenting on PRs for coverage changes
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 0

- uses: actions/setup-go@v5
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
go-version: '1.22.*'

Expand All @@ -36,7 +36,7 @@ jobs:
go mod download
- name: Start cluster
uses: medyagh/setup-minikube@latest
uses: medyagh/setup-minikube@d8c0eb871f6f455542491d86a574477bd3894533 # latest

- name: Check cluster status and enable headlamp addon
run: |
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/backend.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,16 +27,16 @@ jobs:
steps:

- name: Set up Go
uses: actions/setup-go@v5
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
go-version: '1.22.*'
id: go

- name: Check out code
uses: actions/checkout@v4
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

- name: setup and run golangci-lint
uses: golangci/golangci-lint-action@v4
uses: golangci/golangci-lint-action@d6238b002a20823d52840fda27e2d4891c5952dc # v4.0.1
with:
version: v1.54
working-directory: backend
Expand Down
12 changes: 6 additions & 6 deletions .github/workflows/build-container.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,18 +30,18 @@ jobs:
permissions:
actions: write # needed to upload artifacts
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v3
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3.8.2
with:
node-version: 20.x
- name: Start cluster
uses: medyagh/setup-minikube@latest
uses: medyagh/setup-minikube@d8c0eb871f6f455542491d86a574477bd3894533 # latest
# now you can run kubectl to see the pods in the cluster
- name: Try the cluster!
run: kubectl get pods -A
- name: Restore image-cache Folder
id: cache-image-restore
uses: actions/cache/restore@v4
uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: ~/image-cache
# cache the container image. All the paths this PR depends on except the e2e-tests folder for the key.
Expand Down Expand Up @@ -154,11 +154,11 @@ jobs:
- name: Cache image-cache Folder
if: steps.cache-image-restore.outputs.cache-hit != 'true'
id: cache-image-save
uses: actions/cache/save@v4
uses: actions/cache/save@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: ~/image-cache
key: ${{ steps.cache-image-restore.outputs.cache-primary-key }}
- uses: actions/upload-artifact@v4
- uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
if: always()
with:
name: e2e-tests-report
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/container-publish.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,9 +27,9 @@ jobs:
packages: write # needed for publishing the container image
steps:
- name: Check out the repo
uses: actions/checkout@v4
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2.10.0
- name: Figure out the tag based on event trigger
env:
TRIGGER: ${{ github.event_name }}
Expand Down Expand Up @@ -69,13 +69,13 @@ jobs:
git fetch origin
git checkout ${{ env.BUILD_TAG }}
- name: Log in to the Container registry
uses: docker/login-action@v2
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ github.token }}
- name: Build and push Docker image
uses: docker/build-push-action@v4
uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1
with:
context: .
push: true
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/docker-extension-release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,12 +18,12 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Login to DockerHub
uses: docker/login-action@v1
uses: docker/login-action@dd4fa0671be5250ee6f50aedf4cb05514abda2c7 # v1.14.1
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Check out the repo
uses: actions/checkout@v4
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 0
- name: Update docker image tags
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/draft-release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Create Release Draft
uses: softprops/action-gh-release@v1
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
with:
token: ${{ github.token }}
draft: true
Expand Down
Loading

0 comments on commit df4efdd

Please sign in to comment.