Commit Graph

12 Commits

Author SHA1 Message Date
Aurélien Bombo
433e59de1f gha: zizmor: fix "workflow or action definition without a name" error
This fixes that error everywhere by adding a `name:` field to all jobs that
were missing it. We keep the same name as the job ID to ensure no
disturbance to the required job names.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-09-25 23:34:40 -05:00
stevenhorsman
b4545da15d workflows: Set top-level permissions to empty
The default suggestion for top-level permissions was
`contents: read`, but scorecard notes anything other than empty,
so try updating it and see if there are any issues. I think it's
only needed if we run workflows from other repos.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-08-22 14:13:21 +01:00
stevenhorsman
475baf95ad ci: Try passing api token into githubh api call
Our CI keeps on getting
```
jq: error (at <stdin>:1): Cannot index string with string "tag_name"
```
during the install dependencies phase, which I suspect
might be due to github rate limits being reduced, so try
to pass through the `GH_TOKEN` env and use it in the auth header.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-07-24 08:49:32 +01:00
stevenhorsman
9d3b9fb438 workflows: Pin action hashes
Pin Github owned actions to specific hashes as recommended
as tags are mutable see https://pin-gh-actions.kammel.dev/.
This one of the recommendations that scorecard gives us.

Note this was generated with `frizbee actions`

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-21 08:14:13 +01:00
stevenhorsman
99e70100c7 workflows: Set persist-credentials: false on checkout
By default the checkout action leave the credentials
in the checked-out repo's `.git/config`, which means
they could get exposed. Use persist-credentials: false
to prevent this happening.

Note: static-checks.yaml does use git diff after the checkout,
but the git docs state that git diff is just local, so doesn't
need authentication.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-10 10:33:41 +01:00
stevenhorsman
088e97075c workflow: Add top-level permissions
Set:
```
permissions:
  contents: read
```
as the default top-level permissions explicitly
to conform to recommended security practices e.g.
https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
2025-05-28 19:34:28 +01:00
stevenhorsman
a5f1a5a0ee workflow: Remove/skip runk CI
As discussed in the AC meeting, we don't have a maintainer,
(or users?) of runk, and the CI is unstable, so giving we can't
support it, we shouldn't waste CI cycles on it.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-11-07 14:16:30 +00:00
Aurélien Bombo
b4ce84b9d2 ci: Move run-runk to free runner
No change other than switching the runner - no dependency issue
expected.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2024-08-27 16:43:33 +00:00
Aurélien Bombo
c605fff4c1 ci: Temporarily disable kata-deploy and GARM tests
Per the decision taken in the 6/27 AC meeting, this PR temporarily
disables kata-deploy and GARM tests until we secure further Azure CI
funding.

In the meantime, I'll transition the GARM tests to free runners and
reenable them to regain that coverage without affecting spending (see
#9940). If it turns out the free runners are too slow, we'll switch back
to GARM.

After funding is secured, we'll reenable the kata-deploy tests (see
#9939).

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2024-06-28 20:23:07 +00:00
Greg Kurz
424a5e243f gha: Bump to actions/[down|up]load-artifact@v4 (all the rest)
`Node.js 19` is deprecated. Bump to a new version based on `Node.js 20`.

This fixes all remaining sites.

Fixes #9245

Signed-off-by: Greg Kurz <groug@kaod.org>
2024-04-05 18:36:51 +02:00
Wainer dos Santos Moschetta
28a63070f7 gha: fix step name in run-runk-tests
Likely copied from the tracing workflow by mistake.

Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
2024-02-26 11:09:29 -03:00
Fabiano Fidêncio
7f23772763 ci: Add placeholder for runk tests
The runk test has been executed as part of the former "ubuntu" jenkins
CI.

We're porting it to GHA and running it against LTS containerd.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2023-10-04 20:40:32 +02:00