5 Commits

Author	SHA1	Message	Date
stevenhorsman	9d3b9fb438	workflows: Pin action hashes ... Pin Github owned actions to specific hashes as recommended as tags are mutable see https://pin-gh-actions.kammel.dev/. This one of the recommendations that scorecard gives us. Note this was generated with `frizbee actions` Signed-off-by: stevenhorsman <steven@uk.ibm.com>	2025-06-21 08:14:13 +01:00
stevenhorsman	99e70100c7	workflows: Set persist-credentials: false on checkout ... By default the checkout action leave the credentials in the checked-out repo's `.git/config`, which means they could get exposed. Use persist-credentials: false to prevent this happening. Note: static-checks.yaml does use git diff after the checkout, but the git docs state that git diff is just local, so doesn't need authentication. Signed-off-by: stevenhorsman <steven@uk.ibm.com>	2025-06-10 10:33:41 +01:00
stevenhorsman	088e97075c	workflow: Add top-level permissions ... Set: ``` permissions: contents: read ``` as the default top-level permissions explicitly to conform to recommended security practices e.g. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions	2025-05-28 19:34:28 +01:00
Fabiano Fidêncio	fd832d0feb	tests: kata-deploy: Run installation with only one VMM ... It doesn't make much sense to test different VMMs as that wouldn't trigger a different code path. Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>	2025-03-05 19:44:27 +01:00
Fabiano Fidêncio	14bf653c35	tests: kata-deploy: Re-add tests, now using github runners ... As GitHub runners now support nested virt, we're don't depend on garm for those anymore. Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>	2025-03-05 19:44:27 +01:00