harden actions

2026-05-25 18:13:11 +00:00 · 2026-05-22 18:50:43 +02:00
parent 90d5ec8af1
commit e009003ffa
12 changed files with 125 additions and 92 deletions
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -13,6 +13,9 @@ env:
  REGISTRY: ghcr.io
  RELOADER_EDITION: oss

+# Default to no GITHUB_TOKEN permissions; each job opts into the minimum it needs.
+permissions: {}
+
 jobs:
  release:

@@ -25,7 +28,7 @@ jobs:

    steps:
      - name: Check out code
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
        with:
          token: ${{ secrets.PUBLISH_TOKEN }}
          fetch-depth: 0 # otherwise, you will fail to push refs to dest repo
@@ -33,16 +36,16 @@ jobs:

      # Setting up helm binary
      - name: Set up Helm
-        uses: azure/setup-helm@v4
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4
        with:
          version: v3.11.3

      - name: Set up Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
        with:
          go-version-file: 'go.mod'
          check-latest: true
-          cache: true
+          cache: false

      - name: Install Dependencies
        run: |
@@ -81,13 +84,13 @@ jobs:
        run: echo "created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT

      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3

      - name: Login to Docker Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
        with:
          username: ${{ secrets.STAKATER_DOCKERHUB_USERNAME }}
          password: ${{ secrets.STAKATER_DOCKERHUB_PASSWORD }}
@@ -97,13 +100,12 @@ jobs:
          echo DOCKER_IMAGE_REPOSITORY=$(echo ${{ github.repository }} | tr '[:upper:]' '[:lower:]') >> $GITHUB_ENV

      - name: Build and Push Docker Image to Docker registry
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
        with:
          context: .
          file: ${{ env.DOCKER_FILE_PATH  }}
          pull: true
          push: true
-          cache-to: type=inline
          platforms: linux/amd64,linux/arm,linux/arm64
          tags: |
            ${{ env.DOCKER_IMAGE_REPOSITORY }}:${{ steps.generate_tag.outputs.RELEASE_VERSION }}
@@ -118,7 +120,7 @@ jobs:
            org.opencontainers.image.revision=${{ github.sha }}

      - name: Build and Push Docker UBI Image to Docker registry
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
        with:
          context: .
          file: ${{ env.DOCKER_UBI_FILE_PATH  }}
@@ -126,7 +128,6 @@ jobs:
          push: true
          build-args: |
            BUILDER_IMAGE=${{ env.DOCKER_IMAGE_REPOSITORY }}:${{ steps.generate_tag.outputs.RELEASE_VERSION }}
-          cache-to: type=inline
          platforms: linux/amd64,linux/arm64
          tags: |
            ${{ env.DOCKER_IMAGE_REPOSITORY }}:${{ steps.generate_tag.outputs.RELEASE_VERSION }}-ubi
@@ -136,7 +137,7 @@ jobs:
            org.opencontainers.image.revision=${{ github.sha }}

      - name: Login to ghcr registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
        with:
          registry: ${{env.REGISTRY}}
          username: stakater-user
@@ -148,13 +149,12 @@ jobs:

      # tag this image as latest as it will be used in plain manifests
      - name: Build and Push Docker Image to ghcr registry
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
        with:
          context: .
          file: ${{ env.DOCKER_FILE_PATH  }}
          pull: true
          push: true
-          cache-to: type=inline
          platforms: linux/amd64,linux/arm,linux/arm64
          tags: |
            ${{ env.GHCR_IMAGE_REPOSITORY }}:${{ steps.generate_tag.outputs.RELEASE_VERSION }},${{ env.GHCR_IMAGE_REPOSITORY }}:latest
@@ -169,7 +169,7 @@ jobs:
            org.opencontainers.image.revision=${{ github.sha }}

      - name: Build and Push Docker UBI Image to ghcr registry
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
        with:
          context: .
          file: ${{ env.DOCKER_UBI_FILE_PATH  }}
@@ -177,7 +177,6 @@ jobs:
          push: true
          build-args: |
            BUILDER_IMAGE=${{ env.GHCR_IMAGE_REPOSITORY }}:${{ steps.generate_tag.outputs.RELEASE_VERSION }}
-          cache-to: type=inline
          platforms: linux/amd64,linux/arm64
          tags: |
            ${{ env.GHCR_IMAGE_REPOSITORY }}:${{ steps.generate_tag.outputs.RELEASE_VERSION }}-ubi
@@ -191,7 +190,7 @@ jobs:
      ##############################

      - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@master
+        uses: goreleaser/goreleaser-action@5daf1e915a5f0af01ddbcd89a43b8061ff4f1a89 # v7.2.2
        with:
          version: latest
          args: release --clean
@@ -199,7 +198,7 @@ jobs:
          GITHUB_TOKEN: ${{ secrets.PUBLISH_TOKEN }}

      - name: Notify Slack
-        uses: 8398a7/action-slack@v3
+        uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3
        if: always() # Pick up events even if the job fails or is canceled.
        with:
          status: ${{ job.status }}