github/kata-containers
1
0
Fork 2
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-09-17 06:48:51 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #11475 from kata-containers/sprt/zizmor-fixes

Browse Source 
security: ci: Fixes for Zizmor GHA security scanning
This commit is contained in:
Aurélien Bombo
2025-07-03 13:29:47 -05:00
committed by GitHub
parent c857f59a1a 8723eedad2
commit fe532f9d04
9 changed files with 29 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.github/workflows/ci-on-push.yaml vendored
View File

@@ -16,7 +16,6 @@ on:
permissions:
contents: read
id-token: write
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

9
.github/workflows/publish-kata-deploy-payload.yaml vendored
View File

@@ -79,7 +79,12 @@ jobs:
- name: build-and-push-kata-payload for ${{ inputs.arch }}
id: build-and-push-kata-payload
env:
REGISTRY: ${{ inputs.registry }}
REPO: ${{ inputs.repo }}
TAG: ${{ inputs.tag }}
run: |
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.xz \
${{ inputs.registry }}/${{ inputs.repo }} ${{ inputs.tag }}
"$(pwd)/kata-static.tar.xz" \
"${REGISTRY}/${REPO}" \
"${TAG}"

6
.github/workflows/release-amd64.yaml vendored
View File

@@ -57,6 +57,8 @@ jobs:
- name: build-and-push-kata-deploy-ci-amd64
id: build-and-push-kata-deploy-ci-amd64
env:
TARGET_ARCH: ${{ inputs.target-arch }}
run: |
# We need to do such trick here as the format of the $GITHUB_REF
# is "refs/tags/<tag>"
@@ -70,8 +72,8 @@ jobs:
for tag in "${tags[@]}"; do
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \
"${tag}-${{ inputs.target-arch }}"
"${tag}-${TARGET_ARCH}"
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \
"${tag}-${{ inputs.target-arch }}"
"${tag}-${TARGET_ARCH}"
done

6
.github/workflows/release-arm64.yaml vendored
View File

@@ -57,6 +57,8 @@ jobs:
- name: build-and-push-kata-deploy-ci-arm64
id: build-and-push-kata-deploy-ci-arm64
env:
TARGET_ARCH: ${{ inputs.target-arch }}
run: |
# We need to do such trick here as the format of the $GITHUB_REF
# is "refs/tags/<tag>"
@@ -70,8 +72,8 @@ jobs:
for tag in "${tags[@]}"; do
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \
"${tag}-${{ inputs.target-arch }}"
"${tag}-${TARGET_ARCH}"
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \
"${tag}-${{ inputs.target-arch }}"
"${tag}-${TARGET_ARCH}"
done

6
.github/workflows/release-ppc64le.yaml vendored
View File

@@ -57,6 +57,8 @@ jobs:
- name: build-and-push-kata-deploy-ci-ppc64le
id: build-and-push-kata-deploy-ci-ppc64le
env:
TARGET_ARCH: ${{ inputs.target-arch }}
run: |
# We need to do such trick here as the format of the $GITHUB_REF
# is "refs/tags/<tag>"
@@ -70,8 +72,8 @@ jobs:
for tag in "${tags[@]}"; do
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \
"${tag}-${{ inputs.target-arch }}"
"${tag}-${TARGET_ARCH}"
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \
"${tag}-${{ inputs.target-arch }}"
"${tag}-${TARGET_ARCH}"
done

6
.github/workflows/release-s390x.yaml vendored
View File

@@ -61,6 +61,8 @@ jobs:
- name: build-and-push-kata-deploy-ci-s390x
id: build-and-push-kata-deploy-ci-s390x
env:
TARGET_ARCH: ${{ inputs.target-arch }}
run: |
# We need to do such trick here as the format of the $GITHUB_REF
# is "refs/tags/<tag>"
@@ -74,8 +76,8 @@ jobs:
for tag in "${tags[@]}"; do
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \
"${tag}-${{ inputs.target-arch }}"
"${tag}-${TARGET_ARCH}"
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \
"${tag}-${{ inputs.target-arch }}"
"${tag}-${TARGET_ARCH}"
done

7
.github/workflows/release.yaml vendored
View File

@@ -251,9 +251,12 @@ jobs:
GH_TOKEN: ${{ github.token }}
- name: Login to the OCI registries
env:
QUAY_DEPLOYER_USERNAME: ${{ vars.QUAY_DEPLOYER_USERNAME }}
GITHUB_ACTOR: ${{ github.actor }}
run: |
echo "${{ secrets.QUAY_DEPLOYER_PASSWORD }}" | helm registry login quay.io --username "${{ vars.QUAY_DEPLOYER_USERNAME }}" --password-stdin
echo "${{ github.token }}" | helm registry login ghcr.io --username $ --password-stdin
echo "${{ secrets.QUAY_DEPLOYER_PASSWORD }}" | helm registry login quay.io --username "${QUAY_DEPLOYER_USERNAME}" --password-stdin
echo "${{ github.token }}" | helm registry login ghcr.io --username "${GITHUB_ACTOR}" --password-stdin
- name: Push helm chart to the OCI registries
run: |

1
.github/workflows/zizmor.yaml vendored
View File

@@ -4,7 +4,6 @@ on:
push:
branches: ["main"]
pull_request:
paths: [".github/workflows/**"]
permissions:
contents: read