From 379eecacb02431d24fde19aa6b32b577ed45abff Mon Sep 17 00:00:00 2001 From: stevenhorsman Date: Tue, 13 Jan 2026 11:38:19 +0000 Subject: [PATCH 1/3] dependabot: Add cooldown It's good practice to get dependabot to wait after a release before bumping to avoid it bumping to a release done seconds before, which could have supply-chain security implications, so add a 7 day cooldown to help with this. See https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns Signed-off-by: stevenhorsman --- .github/dependabot.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 52f755bc0d..5dfa732bc2 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -15,6 +15,8 @@ updates: - "/src/tools/trace-forwarder" schedule: interval: "daily" + cooldown: + default-days: 7 ignore: # rust-vmm repos might cause incompatibilities on patch versions, so # lets handle them manually for now. @@ -85,8 +87,12 @@ updates: - "src/tools/csi-kata-directvolume" schedule: interval: "daily" + cooldown: + default-days: 7 - package-ecosystem: "github-actions" directory: "/" schedule: interval: "monthly" + cooldown: + default-days: 7 From cdd7c35c1078b9db1d015e469b9c8d0ed7f5d64b Mon Sep 17 00:00:00 2001 From: stevenhorsman Date: Tue, 13 Jan 2026 11:39:48 +0000 Subject: [PATCH 2/3] workflows: Remove unneeded strategy In a refactor we've remove the `matrix` section of this strategy, so the whole section isn't needed any more, so clean this up. Signed-off-by: stevenhorsman --- .github/workflows/run-cri-containerd-tests.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/run-cri-containerd-tests.yaml b/.github/workflows/run-cri-containerd-tests.yaml index e1a5e5d520..335c27b8e7 100644 --- a/.github/workflows/run-cri-containerd-tests.yaml +++ b/.github/workflows/run-cri-containerd-tests.yaml @@ -35,8 +35,6 @@ on: jobs: run-cri-containerd: name: run-cri-containerd-${{ inputs.arch }} (${{ inputs.containerd_version }}, ${{ inputs.vmm }}) - strategy: - fail-fast: false runs-on: ${{ inputs.runner }} env: CONTAINERD_VERSION: ${{ inputs.containerd_version }} From c5aadada98edbcde679d98b18579b41887126b99 Mon Sep 17 00:00:00 2001 From: stevenhorsman Date: Tue, 13 Jan 2026 11:49:05 +0000 Subject: [PATCH 3/3] workflows: Pin all actions Previously zizmor only mandated pinning of third-party actions, but has recommended rolling this out to all actions now. Signed-off-by: stevenhorsman --- .github/workflows/codeql.yml | 4 ++-- .github/workflows/docs.yaml | 10 +++++----- .github/workflows/scorecard.yaml | 2 +- src/runtime/pkg/govmm/.github/workflows/main.yml | 4 ++-- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 4730cc74d0..a273da590b 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -72,7 +72,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@4bdb89f48054571735e3792627da6195c57459e2 # v3.31.10 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} @@ -95,6 +95,6 @@ jobs: make -C src/runtime - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@4bdb89f48054571735e3792627da6195c57459e2 # v3.31.10 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index e101d1ee14..29543e5692 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -16,17 +16,17 @@ jobs: url: ${{ steps.deployment.outputs.page_url }} runs-on: ubuntu-latest steps: - - uses: actions/configure-pages@v5 - - uses: actions/checkout@v5 + - uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - - uses: actions/setup-python@v5 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: 3.x - run: pip install zensical - run: zensical build --clean - - uses: actions/upload-pages-artifact@v4 + - uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0 with: path: site - - uses: actions/deploy-pages@v4 + - uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5 id: deployment diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml index bbe22d5a82..86c766fc26 100644 --- a/.github/workflows/scorecard.yaml +++ b/.github/workflows/scorecard.yaml @@ -55,6 +55,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). # Commenting out will disable upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@4bdb89f48054571735e3792627da6195c57459e2 # v3.31.10 with: sarif_file: results.sarif diff --git a/src/runtime/pkg/govmm/.github/workflows/main.yml b/src/runtime/pkg/govmm/.github/workflows/main.yml index 40bce86c7b..7fe1cb2122 100644 --- a/src/runtime/pkg/govmm/.github/workflows/main.yml +++ b/src/runtime/pkg/govmm/.github/workflows/main.yml @@ -14,11 +14,11 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version: ${{ matrix.go-version }} - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: golangci-lint