Commit Graph

14 Commits

Author SHA1 Message Date
Aurélien Bombo
433e59de1f gha: zizmor: fix "workflow or action definition without a name" error
This fixes that error everywhere by adding a `name:` field to all jobs that
were missing it. We keep the same name as the job ID to ensure no
disturbance to the required job names.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-09-25 23:34:40 -05:00
stevenhorsman
b4545da15d workflows: Set top-level permissions to empty
The default suggestion for top-level permissions was
`contents: read`, but scorecard notes anything other than empty,
so try updating it and see if there are any issues. I think it's
only needed if we run workflows from other repos.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-08-22 14:13:21 +01:00
Aurélien Bombo
8d7d859e30 gha: Eliminate use of force-skip-ci label
This was originally implemented as a Jenkins skip and is only used in a few
workflows.  Nowadays this would be better implemented via the gatekeeper.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-07-02 10:29:50 -05:00
stevenhorsman
9d3b9fb438 workflows: Pin action hashes
Pin Github owned actions to specific hashes as recommended
as tags are mutable see https://pin-gh-actions.kammel.dev/.
This one of the recommendations that scorecard gives us.

Note this was generated with `frizbee actions`

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-21 08:14:13 +01:00
stevenhorsman
99e70100c7 workflows: Set persist-credentials: false on checkout
By default the checkout action leave the credentials
in the checked-out repo's `.git/config`, which means
they could get exposed. Use persist-credentials: false
to prevent this happening.

Note: static-checks.yaml does use git diff after the checkout,
but the git docs state that git diff is just local, so doesn't
need authentication.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-10 10:33:41 +01:00
stevenhorsman
088e97075c workflow: Add top-level permissions
Set:
```
permissions:
  contents: read
```
as the default top-level permissions explicitly
to conform to recommended security practices e.g.
https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
2025-05-28 19:34:28 +01:00
stevenhorsman
d4bd314d52 workflows: linting: Fix incorrect properties
These properties are currently invalid, so either
fix, or remove them

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-12-06 13:50:12 +00:00
Aurélien Bombo
de98e467b4 ci: Use ubuntu-22.04 instead of ubuntu-latest
22.04 is the default today:
23da668261/README.md

Being more specific will avoid unexpected errors when Github updates the
default.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2024-08-27 16:44:39 +00:00
Archana Shinde
510bc36a77 github-actions: Remove ignore paths for required CI checks
If a PR contains files from the ignore-paths, these actions do not run
as intended. However, the actions are make as required. And there does
not seem to be a way to mark these as non-required in that case.
As a result a PR containing the files from the ignore-paths remains
stalled.
Hence remove the ignore-paths until github provides a way to mark
actions that are skipped due to ignore-paths as non-required/passed.

Fixes: #8663

Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
2023-12-15 15:12:20 -08:00
Fabiano Fidêncio
c5cfad7023 actions: Move all the checkout actions to v4
It's been released for a while now, and we need to keep consistency
between what we used.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2023-10-23 14:01:53 +02:00
Fabiano Fidêncio
fbc2a91ab5 gha: Cancel previous jobs if a PR is updated
Let's make sure we cancel previous runs, mainly as we have some of those
that take a lot of time to run, whenever the PR is updated.

This is based on the following stack overflow suggestion:
https://stackoverflow.com/questions/66335225/how-to-cancel-previous-runs-in-the-pr-when-you-push-new-commitsupdate-the-curre

This is very much needed as we don't want to wait for a long time to
have access to a runner because of other runners are still being used
performing a task that's meaningless due to the PR update.

Fixes: #7298

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2023-07-11 14:37:10 +02:00
Bin Liu
f7fc436bed workflow: fix cargo-deny-runner.yaml syntax error
There is a syntax error in .github/workflows/cargo-deny-runner.yaml

Fixes: #5808

Signed-off-by: Bin Liu <bin@hyper.sh>
2022-12-01 12:32:00 +08:00
Bin Liu
340e24f175 actions: skip some job using "paths-ignore" filter
If only docs/images are changed, some jobs should not run.

Fixes: #5759

Signed-off-by: Bin Liu <bin@hyper.sh>
2022-11-25 15:33:32 +08:00
Derek Lee
bed4aab7ee github-actions: Add cargo-deny
Adds cargo-deny to scan for vulnerabilities and license issues regarding
rust crates.

GitHub Actions does not have an obvious way to loop over each of the
Cargo.toml files. To avoid hardcoding it, I worked around the problem
using a composite action that first generates the cargo-deny action by
finding all Cargo.toml files before calling this new generated action in
the master workflow.

Uses recommended deny.toml from cargo-deny repo with the following
modifications:

 ignore = ["RUSTSEC-2020-0071"]
  because chrono is dependent on the version of time with the
  vulnerability and there is no simple workaround

 multiple-versions = "allow"
  Because of the above error and other packages, there are instances
  where some crates require different versions of a crate.

 unknown-git = "allow"
  I don't see a particular issue with allowing crates from other repos.
  An alternative would be the manually set each repo we want in an
  allow-git list, but I see this as more of a nuisance that its worth.
  We could leave this as a warning (default), but to avoid clutter I'm
  going to allow it.

If deny.toml needs to be edited in the future, here's the guide:
https://embarkstudios.github.io/cargo-deny/index.html

Fixes #3359

Signed-off-by: Derek Lee <derlee@redhat.com>
2022-08-30 09:30:03 -07:00