mirror of
https://github.com/kata-containers/kata-containers.git
synced 2025-04-27 11:31:05 +00:00
a678046d13
A popular third-party action has recently been compromised [1][2] and the attacker managed to point multiple git version tags to a malicious commit containing code to exfiltrate secrets. This PR follows GitHub's recommendation [3] to pin third-party actions to a full-length commit hash, to mitigate such attacks. Hopefully actionlint starts warning about this soon [4]. [1] https://www.cve.org/CVERecord?id=CVE-2025-30066 [2] https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised [3] https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions [4] https://github.com/rhysd/actionlint/pull/436 Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
76 lines
2.2 KiB
YAML
76 lines
2.2 KiB
YAML
name: CI | Publish kata-deploy payload
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
tarball-suffix:
|
|
required: false
|
|
type: string
|
|
registry:
|
|
required: true
|
|
type: string
|
|
repo:
|
|
required: true
|
|
type: string
|
|
tag:
|
|
required: true
|
|
type: string
|
|
commit-hash:
|
|
required: false
|
|
type: string
|
|
target-branch:
|
|
required: false
|
|
type: string
|
|
default: ""
|
|
runner:
|
|
default: 'ubuntu-22.04'
|
|
description: The runner to execute the workflow on. Defaults to 'ubuntu-22.04'.
|
|
required: false
|
|
type: string
|
|
arch:
|
|
description: The arch of the tarball.
|
|
required: true
|
|
type: string
|
|
|
|
jobs:
|
|
kata-payload:
|
|
runs-on: ${{ inputs.runner }}
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
ref: ${{ inputs.commit-hash }}
|
|
fetch-depth: 0
|
|
|
|
- name: Rebase atop of the latest target branch
|
|
run: |
|
|
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
|
|
env:
|
|
TARGET_BRANCH: ${{ inputs.target-branch }}
|
|
|
|
- name: get-kata-tarball for ${{ inputs.arch }}
|
|
uses: actions/download-artifact@v4
|
|
with:
|
|
name: kata-static-tarball-${{ inputs.arch}}${{ inputs.tarball-suffix }}
|
|
|
|
- name: Login to Kata Containers quay.io
|
|
if: ${{ inputs.registry == 'quay.io' }}
|
|
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
|
|
with:
|
|
registry: quay.io
|
|
username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
|
|
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
|
|
|
|
- name: Login to Kata Containers ghcr.io
|
|
if: ${{ inputs.registry == 'ghcr.io' }}
|
|
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: build-and-push-kata-payload for ${{ inputs.arch }}
|
|
id: build-and-push-kata-payload
|
|
run: |
|
|
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
|
|
"$(pwd)"/kata-static.tar.xz \
|
|
${{ inputs.registry }}/${{ inputs.repo }} ${{ inputs.tag }}
|