From bb2a427a8aa797e4918443240ff7ce533b394138 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bombo?= Date: Thu, 26 Jun 2025 12:10:23 -0500 Subject: [PATCH 1/4] security: ci: fix template injection MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This fixes a Zizmor error where some variables are vulnerable to template injection. https://github.com/kata-containers/kata-containers/security/code-scanning/67 Signed-off-by: Aurélien Bombo --- .github/workflows/publish-kata-deploy-payload.yaml | 9 +++++++-- .github/workflows/release-amd64.yaml | 6 ++++-- .github/workflows/release-arm64.yaml | 6 ++++-- .github/workflows/release-ppc64le.yaml | 6 ++++-- .github/workflows/release-s390x.yaml | 6 ++++-- .github/workflows/release.yaml | 7 +++++-- 6 files changed, 28 insertions(+), 12 deletions(-) diff --git a/.github/workflows/publish-kata-deploy-payload.yaml b/.github/workflows/publish-kata-deploy-payload.yaml index 0acdedf85..22a4a8289 100644 --- a/.github/workflows/publish-kata-deploy-payload.yaml +++ b/.github/workflows/publish-kata-deploy-payload.yaml @@ -79,7 +79,12 @@ jobs: - name: build-and-push-kata-payload for ${{ inputs.arch }} id: build-and-push-kata-payload + env: + REGISTRY: ${{ inputs.registry }} + REPO: ${{ inputs.repo }} + TAG: ${{ inputs.tag }} run: | ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \ - "$(pwd)"/kata-static.tar.xz \ - ${{ inputs.registry }}/${{ inputs.repo }} ${{ inputs.tag }} + "$(pwd)/kata-static.tar.xz" \ + "${REGISTRY}/${REPO}" \ + "${TAG}" diff --git a/.github/workflows/release-amd64.yaml b/.github/workflows/release-amd64.yaml index 8c09fa635..88af72c9f 100644 --- a/.github/workflows/release-amd64.yaml +++ b/.github/workflows/release-amd64.yaml @@ -57,6 +57,8 @@ jobs: - name: build-and-push-kata-deploy-ci-amd64 id: build-and-push-kata-deploy-ci-amd64 + env: + TARGET_ARCH: ${{ inputs.target-arch }} run: | # We need to do such trick here as the format of the $GITHUB_REF # is "refs/tags/" @@ -70,8 +72,8 @@ jobs: for tag in "${tags[@]}"; do ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \ "$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \ - "${tag}-${{ inputs.target-arch }}" + "${tag}-${TARGET_ARCH}" ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \ "$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \ - "${tag}-${{ inputs.target-arch }}" + "${tag}-${TARGET_ARCH}" done diff --git a/.github/workflows/release-arm64.yaml b/.github/workflows/release-arm64.yaml index af68a3549..aa8176a58 100644 --- a/.github/workflows/release-arm64.yaml +++ b/.github/workflows/release-arm64.yaml @@ -57,6 +57,8 @@ jobs: - name: build-and-push-kata-deploy-ci-arm64 id: build-and-push-kata-deploy-ci-arm64 + env: + TARGET_ARCH: ${{ inputs.target-arch }} run: | # We need to do such trick here as the format of the $GITHUB_REF # is "refs/tags/" @@ -70,8 +72,8 @@ jobs: for tag in "${tags[@]}"; do ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \ "$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \ - "${tag}-${{ inputs.target-arch }}" + "${tag}-${TARGET_ARCH}" ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \ "$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \ - "${tag}-${{ inputs.target-arch }}" + "${tag}-${TARGET_ARCH}" done diff --git a/.github/workflows/release-ppc64le.yaml b/.github/workflows/release-ppc64le.yaml index e01dc9dbc..a179273b6 100644 --- a/.github/workflows/release-ppc64le.yaml +++ b/.github/workflows/release-ppc64le.yaml @@ -57,6 +57,8 @@ jobs: - name: build-and-push-kata-deploy-ci-ppc64le id: build-and-push-kata-deploy-ci-ppc64le + env: + TARGET_ARCH: ${{ inputs.target-arch }} run: | # We need to do such trick here as the format of the $GITHUB_REF # is "refs/tags/" @@ -70,8 +72,8 @@ jobs: for tag in "${tags[@]}"; do ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \ "$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \ - "${tag}-${{ inputs.target-arch }}" + "${tag}-${TARGET_ARCH}" ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \ "$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \ - "${tag}-${{ inputs.target-arch }}" + "${tag}-${TARGET_ARCH}" done diff --git a/.github/workflows/release-s390x.yaml b/.github/workflows/release-s390x.yaml index 0a184f108..4477bba40 100644 --- a/.github/workflows/release-s390x.yaml +++ b/.github/workflows/release-s390x.yaml @@ -61,6 +61,8 @@ jobs: - name: build-and-push-kata-deploy-ci-s390x id: build-and-push-kata-deploy-ci-s390x + env: + TARGET_ARCH: ${{ inputs.target-arch }} run: | # We need to do such trick here as the format of the $GITHUB_REF # is "refs/tags/" @@ -74,8 +76,8 @@ jobs: for tag in "${tags[@]}"; do ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \ "$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \ - "${tag}-${{ inputs.target-arch }}" + "${tag}-${TARGET_ARCH}" ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \ "$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \ - "${tag}-${{ inputs.target-arch }}" + "${tag}-${TARGET_ARCH}" done diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 8f385a7f6..c0723c819 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -251,9 +251,12 @@ jobs: GH_TOKEN: ${{ github.token }} - name: Login to the OCI registries + env: + QUAY_DEPLOYER_USERNAME: ${{ vars.QUAY_DEPLOYER_USERNAME }} + GITHUB_ACTOR: ${{ github.actor }} run: | - echo "${{ secrets.QUAY_DEPLOYER_PASSWORD }}" | helm registry login quay.io --username "${{ vars.QUAY_DEPLOYER_USERNAME }}" --password-stdin - echo "${{ github.token }}" | helm registry login ghcr.io --username $ --password-stdin + echo "${{ secrets.QUAY_DEPLOYER_PASSWORD }}" | helm registry login quay.io --username "${QUAY_DEPLOYER_USERNAME}" --password-stdin + echo "${{ github.token }}" | helm registry login ghcr.io --username "${GITHUB_ACTOR}" --password-stdin - name: Push helm chart to the OCI registries run: | From 820c1389db0e52983e53010364773021f362233b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bombo?= Date: Thu, 26 Jun 2025 12:28:20 -0500 Subject: [PATCH 2/4] security: ci: remove overly broad permission MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This removes the permission from the workflow since it's already present at the job level. https://github.com/kata-containers/kata-containers/security/code-scanning/111 Signed-off-by: Aurélien Bombo --- .github/workflows/ci-on-push.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ci-on-push.yaml b/.github/workflows/ci-on-push.yaml index 2fc4a0975..dcbeb3616 100644 --- a/.github/workflows/ci-on-push.yaml +++ b/.github/workflows/ci-on-push.yaml @@ -16,7 +16,6 @@ on: permissions: contents: read - id-token: write concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} From d94085916e624a7aea7749973320e65c0da31cad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bombo?= Date: Thu, 26 Jun 2025 12:36:41 -0500 Subject: [PATCH 3/4] ci: set Zizmor as required test MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This adds Zizmor GHA security scanning as a PR gate. Note that this does NOT require that Zizmor returns 0 alerts, but rather that Zizmor's invocation completes successfully (regardless of how many alerts it raises). I will set up the former after this commit is merged (through the GH UI). Signed-off-by: Aurélien Bombo --- tools/testing/gatekeeper/required-tests.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/testing/gatekeeper/required-tests.yaml b/tools/testing/gatekeeper/required-tests.yaml index 3fc88816f..f8d508bff 100644 --- a/tools/testing/gatekeeper/required-tests.yaml +++ b/tools/testing/gatekeeper/required-tests.yaml @@ -6,7 +6,7 @@ required_tests: - Shellcheck required / shellcheck-required # TODO: cargo-deny-runner.yaml not yet treated as conditional - Cargo Crates Check Runner / cargo-deny-runner - + - GHA security analysis / zizmor required_regexps: # Always required regexps From 8723eedad298b9fd8d54c45d0167e71f0d95ab84 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bombo?= Date: Thu, 3 Jul 2025 08:18:34 -0500 Subject: [PATCH 4/4] gha: Remove path restriction for Zizmor workflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The way GH works, we can only require Zizmor results on ALL PR runs, or none, so remove the path filter. Signed-off-by: Aurélien Bombo --- .github/workflows/zizmor.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml index b16158930..a260a2286 100644 --- a/.github/workflows/zizmor.yaml +++ b/.github/workflows/zizmor.yaml @@ -4,7 +4,6 @@ on: push: branches: ["main"] pull_request: - paths: [".github/workflows/**"] permissions: contents: read