kata-containers

github/kata-containers

Fork 2

mirror of https://github.com/kata-containers/kata-containers.git synced 2026-03-18 10:44:10 +00:00

Commit Graph

Author	SHA1	Message	Date
Aurélien Bombo	a678046d13	gha: Pin third-party actions to commit hashes A popular third-party action has recently been compromised [1][2] and the attacker managed to point multiple git version tags to a malicious commit containing code to exfiltrate secrets. This PR follows GitHub's recommendation [3] to pin third-party actions to a full-length commit hash, to mitigate such attacks. Hopefully actionlint starts warning about this soon [4]. [1] https://www.cve.org/CVERecord?id=CVE-2025-30066 [2] https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised [3] https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions [4] https://github.com/rhysd/actionlint/pull/436 Signed-off-by: Aurélien Bombo <abombo@microsoft.com>	2025-03-19 13:52:49 -05:00
stevenhorsman	ee0f0b7bfe	workflows: shellcheck: Expand vendor ignore - In the previous PR I only skipped the runtime/vendor directory, but errors are showing up in other vendor packages, so try a wildcard skip - Also update the job step was we can distinguish between the required and non-required versions Signed-off-by: stevenhorsman <steven@uk.ibm.com>	2025-03-06 14:35:12 +00:00
stevenhorsman	fb1d4b571f	workflows: Add required shellcheck workflow Start with a required smaller set of shellchecks to try and prevent regressions whilst we fix the current problems Signed-off-by: stevenhorsman <steven@uk.ibm.com>	2025-03-04 09:35:46 +00:00

Author

SHA1

Message

Date

Aurélien Bombo

a678046d13

gha: Pin third-party actions to commit hashes

A popular third-party action has recently been compromised [1][2] and
the attacker managed to point multiple git version tags to a malicious
commit containing code to exfiltrate secrets.

This PR follows GitHub's recommendation [3] to pin third-party actions
to a full-length commit hash, to mitigate such attacks.

Hopefully actionlint starts warning about this soon [4].

 [1] https://www.cve.org/CVERecord?id=CVE-2025-30066
 [2] https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
 [3] https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
 [4] https://github.com/rhysd/actionlint/pull/436

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>

2025-03-19 13:52:49 -05:00

stevenhorsman

ee0f0b7bfe

workflows: shellcheck: Expand vendor ignore

- In the previous PR I only skipped the runtime/vendor
directory, but errors are showing up in other vendor
packages, so try a wildcard skip
- Also update the job step was we can distinguish between the
required and non-required versions

Signed-off-by: stevenhorsman <steven@uk.ibm.com>

2025-03-06 14:35:12 +00:00

stevenhorsman

fb1d4b571f

workflows: Add required shellcheck workflow

Start with a required smaller set of shellchecks
to try and prevent regressions whilst we fix
the current problems

Signed-off-by: stevenhorsman <steven@uk.ibm.com>

2025-03-04 09:35:46 +00:00

3 Commits