Commit Graph

9 Commits

Author SHA1 Message Date
stevenhorsman
b4545da15d workflows: Set top-level permissions to empty
The default suggestion for top-level permissions was
`contents: read`, but scorecard notes anything other than empty,
so try updating it and see if there are any issues. I think it's
only needed if we run workflows from other repos.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-08-22 14:13:21 +01:00
Aurélien Bombo
8d7d859e30 gha: Eliminate use of force-skip-ci label
This was originally implemented as a Jenkins skip and is only used in a few
workflows.  Nowadays this would be better implemented via the gatekeeper.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-07-02 10:29:50 -05:00
stevenhorsman
088e97075c workflow: Add top-level permissions
Set:
```
permissions:
  contents: read
```
as the default top-level permissions explicitly
to conform to recommended security practices e.g.
https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
2025-05-28 19:34:28 +01:00
Aurélien Bombo
a678046d13 gha: Pin third-party actions to commit hashes
A popular third-party action has recently been compromised [1][2] and
the attacker managed to point multiple git version tags to a malicious
commit containing code to exfiltrate secrets.

This PR follows GitHub's recommendation [3] to pin third-party actions
to a full-length commit hash, to mitigate such attacks.

Hopefully actionlint starts warning about this soon [4].

 [1] https://www.cve.org/CVERecord?id=CVE-2025-30066
 [2] https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
 [3] https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
 [4] https://github.com/rhysd/actionlint/pull/436

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-03-19 13:52:49 -05:00
Aurélien Bombo
de98e467b4 ci: Use ubuntu-22.04 instead of ubuntu-latest
22.04 is the default today:
23da668261/README.md

Being more specific will avoid unexpected errors when Github updates the
default.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2024-08-27 16:44:39 +00:00
Fabiano Fidêncio
fbc2a91ab5 gha: Cancel previous jobs if a PR is updated
Let's make sure we cancel previous runs, mainly as we have some of those
that take a lot of time to run, whenever the PR is updated.

This is based on the following stack overflow suggestion:
https://stackoverflow.com/questions/66335225/how-to-cancel-previous-runs-in-the-pr-when-you-push-new-commitsupdate-the-curre

This is very much needed as we don't want to wait for a long time to
have access to a runner because of other runners are still being used
performing a task that's meaningless due to the PR update.

Fixes: #7298

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2023-07-11 14:37:10 +02:00
Fabiano Fidêncio
d87ab14fa7 workflows: Ensure force-skip-ci skips all actions
Before this change it was only applied to the static-checks, but if
we're already taking the extreme path of skipping the CI, we better
ensure we skip all the actions and not just a few of them.

Fixes: #3471

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2022-01-18 14:37:32 +01:00
Archana Shinde
33b1865e6e actions: Pin to a particular sha for actions
Since actions can access the github token, lets use a
particular version of sha rather than using master.

Fixes: #437

Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
(cherry picked from commit 57b64f35e0)
2020-07-23 12:06:04 -07:00
Archana Shinde
c5081624c5 actions: Add action to perform WIP check for pull requests
Use github actions for performing WIP checks on PRs.
The action checks for keywords in subject line
as well labels.

Fixes: #437

Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
(cherry picked from commit 0d96145c29)
2020-07-23 12:05:17 -07:00