github/kata-containers
1
0
Fork 2
mirror of https://github.com/kata-containers/kata-containers.git synced 2026-03-18 18:58:36 +00:00
Code Issues Projects Releases Wiki Activity
16,324 Commits 73 Branches 145 Tags
abbe1be69fe83facfc2eb8d79dfdff2471f2fc7f
Commit Graph

6 Commits

Author SHA1 Message Date
stevenhorsman
9d3b9fb438 workflows: Pin action hashes 
Pin Github owned actions to specific hashes as recommended
as tags are mutable see https://pin-gh-actions.kammel.dev/.
This one of the recommendations that scorecard gives us.

Note this was generated with `frizbee actions`

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-06-21 08:14:13 +01:00
stevenhorsman
99e70100c7 workflows: Set persist-credentials: false on checkout 
By default the checkout action leave the credentials
in the checked-out repo's `.git/config`, which means
they could get exposed. Use persist-credentials: false
to prevent this happening.

Note: static-checks.yaml does use git diff after the checkout,
but the git docs state that git diff is just local, so doesn't
need authentication.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-06-10 10:33:41 +01:00
stevenhorsman
088e97075c workflow: Add top-level permissions 
Set:
```
permissions:
  contents: read
```
as the default top-level permissions explicitly
to conform to recommended security practices e.g.
https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
 2025-05-28 19:34:28 +01:00
Aurélien Bombo
a678046d13 gha: Pin third-party actions to commit hashes 
A popular third-party action has recently been compromised [1][2] and
the attacker managed to point multiple git version tags to a malicious
commit containing code to exfiltrate secrets.

This PR follows GitHub's recommendation [3] to pin third-party actions
to a full-length commit hash, to mitigate such attacks.

Hopefully actionlint starts warning about this soon [4].

 [1] https://www.cve.org/CVERecord?id=CVE-2025-30066
 [2] https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
 [3] https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
 [4] https://github.com/rhysd/actionlint/pull/436

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
 2025-03-19 13:52:49 -05:00
stevenhorsman
ee0f0b7bfe workflows: shellcheck: Expand vendor ignore 
- In the previous PR I only skipped the runtime/vendor
directory, but errors are showing up in other vendor
packages, so try a wildcard skip
- Also update the job step was we can distinguish between the
required and non-required versions

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-03-06 14:35:12 +00:00
stevenhorsman
fb1d4b571f workflows: Add required shellcheck workflow 
Start with a required smaller set of shellchecks
to try and prevent regressions whilst we fix
the current problems

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-03-04 09:35:46 +00:00