github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-07-06 12:06:49 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #11475 from kata-containers/sprt/zizmor-fixes

Browse Source 
security: ci: Fixes for Zizmor GHA security scanning
This commit is contained in:
Aurélien Bombo 2025-07-03 13:29:47 -05:00 committed by GitHub
commit fe532f9d04
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
9 changed files with 29 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.github/workflows/ci-on-push.yaml vendored
View File

@ -16,7 +16,6 @@ on:
permissions: permissions:
contents: read contents: read
id-token: write
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

9
.github/workflows/publish-kata-deploy-payload.yaml vendored
View File

@ -79,7 +79,12 @@ jobs:
- name: build-and-push-kata-payload for ${{ inputs.arch }} - name: build-and-push-kata-payload for ${{ inputs.arch }}
id: build-and-push-kata-payload id: build-and-push-kata-payload
env:
REGISTRY: ${{ inputs.registry }}
REPO: ${{ inputs.repo }}
TAG: ${{ inputs.tag }}
run: | run: |
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \ ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.xz \ "$(pwd)/kata-static.tar.xz" \
${{ inputs.registry }}/${{ inputs.repo }} ${{ inputs.tag }} "${REGISTRY}/${REPO}" \
"${TAG}"

6
.github/workflows/release-amd64.yaml vendored
View File

@ -57,6 +57,8 @@ jobs:
- name: build-and-push-kata-deploy-ci-amd64 - name: build-and-push-kata-deploy-ci-amd64
id: build-and-push-kata-deploy-ci-amd64 id: build-and-push-kata-deploy-ci-amd64
env:
TARGET_ARCH: ${{ inputs.target-arch }}
run: | run: |
# We need to do such trick here as the format of the $GITHUB_REF # We need to do such trick here as the format of the $GITHUB_REF
# is "refs/tags/<tag>" # is "refs/tags/<tag>"
@ -70,8 +72,8 @@ jobs:
for tag in "${tags[@]}"; do for tag in "${tags[@]}"; do
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \ ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \ "$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \
"${tag}-${{ inputs.target-arch }}" "${tag}-${TARGET_ARCH}"
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \ ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \ "$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \
"${tag}-${{ inputs.target-arch }}" "${tag}-${TARGET_ARCH}"
done done

6
.github/workflows/release-arm64.yaml vendored
View File

@ -57,6 +57,8 @@ jobs:
- name: build-and-push-kata-deploy-ci-arm64 - name: build-and-push-kata-deploy-ci-arm64
id: build-and-push-kata-deploy-ci-arm64 id: build-and-push-kata-deploy-ci-arm64
env:
TARGET_ARCH: ${{ inputs.target-arch }}
run: | run: |
# We need to do such trick here as the format of the $GITHUB_REF # We need to do such trick here as the format of the $GITHUB_REF
# is "refs/tags/<tag>" # is "refs/tags/<tag>"
@ -70,8 +72,8 @@ jobs:
for tag in "${tags[@]}"; do for tag in "${tags[@]}"; do
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \ ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \ "$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \
"${tag}-${{ inputs.target-arch }}" "${tag}-${TARGET_ARCH}"
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \ ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \ "$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \
"${tag}-${{ inputs.target-arch }}" "${tag}-${TARGET_ARCH}"
done done

6
.github/workflows/release-ppc64le.yaml vendored
View File

@ -57,6 +57,8 @@ jobs:
- name: build-and-push-kata-deploy-ci-ppc64le - name: build-and-push-kata-deploy-ci-ppc64le
id: build-and-push-kata-deploy-ci-ppc64le id: build-and-push-kata-deploy-ci-ppc64le
env:
TARGET_ARCH: ${{ inputs.target-arch }}
run: | run: |
# We need to do such trick here as the format of the $GITHUB_REF # We need to do such trick here as the format of the $GITHUB_REF
# is "refs/tags/<tag>" # is "refs/tags/<tag>"
@ -70,8 +72,8 @@ jobs:
for tag in "${tags[@]}"; do for tag in "${tags[@]}"; do
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \ ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \ "$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \
"${tag}-${{ inputs.target-arch }}" "${tag}-${TARGET_ARCH}"
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \ ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \ "$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \
"${tag}-${{ inputs.target-arch }}" "${tag}-${TARGET_ARCH}"
done done

6
.github/workflows/release-s390x.yaml vendored
View File

@ -61,6 +61,8 @@ jobs:
- name: build-and-push-kata-deploy-ci-s390x - name: build-and-push-kata-deploy-ci-s390x
id: build-and-push-kata-deploy-ci-s390x id: build-and-push-kata-deploy-ci-s390x
env:
TARGET_ARCH: ${{ inputs.target-arch }}
run: | run: |
# We need to do such trick here as the format of the $GITHUB_REF # We need to do such trick here as the format of the $GITHUB_REF
# is "refs/tags/<tag>" # is "refs/tags/<tag>"
@ -74,8 +76,8 @@ jobs:
for tag in "${tags[@]}"; do for tag in "${tags[@]}"; do
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \ ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \ "$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \
"${tag}-${{ inputs.target-arch }}" "${tag}-${TARGET_ARCH}"
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \ ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \ "$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \
"${tag}-${{ inputs.target-arch }}" "${tag}-${TARGET_ARCH}"
done done

7
.github/workflows/release.yaml vendored
View File

@ -251,9 +251,12 @@ jobs:
GH_TOKEN: ${{ github.token }} GH_TOKEN: ${{ github.token }}
- name: Login to the OCI registries - name: Login to the OCI registries
env:
QUAY_DEPLOYER_USERNAME: ${{ vars.QUAY_DEPLOYER_USERNAME }}
GITHUB_ACTOR: ${{ github.actor }}
run: | run: |
echo "${{ secrets.QUAY_DEPLOYER_PASSWORD }}" | helm registry login quay.io --username "${{ vars.QUAY_DEPLOYER_USERNAME }}" --password-stdin echo "${{ secrets.QUAY_DEPLOYER_PASSWORD }}" | helm registry login quay.io --username "${QUAY_DEPLOYER_USERNAME}" --password-stdin
echo "${{ github.token }}" | helm registry login ghcr.io --username $ --password-stdin echo "${{ github.token }}" | helm registry login ghcr.io --username "${GITHUB_ACTOR}" --password-stdin
- name: Push helm chart to the OCI registries - name: Push helm chart to the OCI registries
run: | run: |

1
.github/workflows/zizmor.yaml vendored
View File

@ -4,7 +4,6 @@ on:
push: push:
branches: ["main"] branches: ["main"]
pull_request: pull_request:
paths: [".github/workflows/**"]
permissions: permissions:
contents: read contents: read

2
tools/testing/gatekeeper/required-tests.yaml
View File

@ -6,7 +6,7 @@ required_tests:
- Shellcheck required / shellcheck-required - Shellcheck required / shellcheck-required
# TODO: cargo-deny-runner.yaml not yet treated as conditional # TODO: cargo-deny-runner.yaml not yet treated as conditional
- Cargo Crates Check Runner / cargo-deny-runner - Cargo Crates Check Runner / cargo-deny-runner
- GHA security analysis / zizmor
required_regexps: required_regexps:
# Always required regexps # Always required regexps