stevenhorsman
088e97075c
workflow: Add top-level permissions
...
Set:
```
permissions:
contents: read
```
as the default top-level permissions explicitly
to conform to recommended security practices e.g.
https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
2025-05-28 19:34:28 +01:00
Aurélien Bombo
a678046d13
gha: Pin third-party actions to commit hashes
...
A popular third-party action has recently been compromised [1][2] and
the attacker managed to point multiple git version tags to a malicious
commit containing code to exfiltrate secrets.
This PR follows GitHub's recommendation [3] to pin third-party actions
to a full-length commit hash, to mitigate such attacks.
Hopefully actionlint starts warning about this soon [4].
[1] https://www.cve.org/CVERecord?id=CVE-2025-30066
[2] https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
[3] https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
[4] https://github.com/rhysd/actionlint/pull/436
Signed-off-by: Aurélien Bombo <abombo@microsoft.com >
2025-03-19 13:52:49 -05:00
stevenhorsman
ee0f0b7bfe
workflows: shellcheck: Expand vendor ignore
...
- In the previous PR I only skipped the runtime/vendor
directory, but errors are showing up in other vendor
packages, so try a wildcard skip
- Also update the job step was we can distinguish between the
required and non-required versions
Signed-off-by: stevenhorsman <steven@uk.ibm.com >
2025-03-06 14:35:12 +00:00
stevenhorsman
b3972df3ca
workflows: Shellcheck - ignore vendor
...
Ignore the vendor directories in our shellcheck
workflow as we can't fix them. If there is a way to
set this in shellcheckrc that would be better, but
it doesn't seem to be implemented yet.
Signed-off-by: stevenhorsman <steven@uk.ibm.com >
2025-03-04 09:35:46 +00:00
Zvonko Kaiser
b231a795d7
gha: Add shellcheck
...
We need to start to fix our scripts. Lets run shellcheck
and see what needs to be reworked.
Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com >
2025-02-11 16:00:34 +00:00