diff --git a/.github/workflows/cve-scan.yml b/.github/workflows/cve-scan.yml index edf681d..6f719ec 100644 --- a/.github/workflows/cve-scan.yml +++ b/.github/workflows/cve-scan.yml @@ -16,10 +16,10 @@ jobs: govulncheck: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: ./.github/actions/runner-cleanup - name: Vulnerability scan id: govulncheck - uses: golang/govulncheck-action@v1 + uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4 with: repo-checkout: false diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml index 998c2cf..cc31858 100644 --- a/.github/workflows/e2e.yml +++ b/.github/workflows/e2e.yml @@ -14,11 +14,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Disk Cleanup uses: ./.github/actions/runner-cleanup - name: Setup Kubernetes - uses: helm/kind-action@v1.14.0 + uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # v1.14.0 with: cluster_name: kind - name: Build container image @@ -26,7 +26,7 @@ jobs: ./test/build.sh kind load docker-image test/podinfo:latest - name: Setup Helm - uses: azure/setup-helm@v4 + uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1 with: version: v4.1.0 - name: Deploy @@ -49,12 +49,12 @@ jobs: PODINFO_MODULE_URL: "oci://localhost:5000/podinfo" PODINFO_VERSION: "0.0.0-devel" steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: ./.github/actions/runner-cleanup - name: Setup Timoni - uses: stefanprodan/timoni/actions/setup@main + uses: stefanprodan/timoni/actions/setup@c68e33a34f17c7ca93c7fc6717d61a14819276dc # v0.26.0 - name: Setup Kubernetes - uses: helm/kind-action@v1.14.0 + uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # v1.14.0 with: cluster_name: kind - name: Build container diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 336818d..de3ac55 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -15,14 +15,15 @@ jobs: contents: write # needed to write releases id-token: write # needed for keyless signing packages: write # needed for ghcr access + attestations: write # needed for provenance steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: ./.github/actions/runner-cleanup - - uses: sigstore/cosign-installer@v4.0.0 - - uses: fluxcd/flux2/action@v2.8.1 - - uses: stefanprodan/timoni/actions/setup@v0.26.0 + - uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 + - uses: fluxcd/flux2/action@97222a775ae8e68f1e85508f356f248704255c9c # v2.8.1 + - uses: stefanprodan/timoni/actions/setup@c68e33a34f17c7ca93c7fc6717d61a14819276dc # v0.26.0 - name: Setup Notation CLI - uses: notaryproject/notation-action/setup@v1 + uses: notaryproject/notation-action/setup@b6fee73110795d6793253c673bd723f12bcf9bbb # v1.2.2 with: version: "1.1.0" - name: Setup Notation signing keys @@ -34,28 +35,28 @@ jobs: env: NOTATION_KEY: ${{ secrets.NOTATION_SIGNING_KEY }} - name: Setup Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: 1.26.x - name: Setup Helm - uses: azure/setup-helm@v4 + uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1 with: version: v4.1.1 - name: Setup QEMU - uses: docker/setup-qemu-action@v4 + uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 with: platforms: all - name: Setup Docker Buildx id: buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Login to GitHub Container Registry - uses: docker/login-action@v4 + uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Login to Docker Hub - uses: docker/login-action@v4 + uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} @@ -71,7 +72,7 @@ jobs: echo "REVISION=${GITHUB_SHA}" >> $GITHUB_OUTPUT - name: Generate images meta id: meta - uses: docker/metadata-action@v6 + uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 with: images: | docker.io/stefanprodan/podinfo @@ -80,7 +81,7 @@ jobs: type=raw,value=${{ steps.prep.outputs.VERSION }} type=raw,value=latest - name: Publish multi-arch image - uses: docker/build-push-action@v7 + uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 with: sbom: true provenance: true @@ -123,7 +124,7 @@ jobs: cosign sign ghcr.io/stefanprodan/charts/podinfo:${{ steps.prep.outputs.VERSION }} --yes cosign sign ghcr.io/stefanprodan/manifests/podinfo:${{ steps.prep.outputs.VERSION }} --yes - name: Publish base image - uses: docker/build-push-action@v7 + uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 with: push: true builder: ${{ steps.buildx.outputs.name }} @@ -132,7 +133,7 @@ jobs: file: ./Dockerfile.base tags: docker.io/stefanprodan/podinfo-base:latest - name: Publish helm chart - uses: stefanprodan/helm-gh-pages@master + uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260 # v1.7.0 with: token: ${{ secrets.GITHUB_TOKEN }} - name: Publish config artifact @@ -158,9 +159,13 @@ jobs: notation sign --signature-format cose ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }} notation sign --signature-format cose ghcr.io/stefanprodan/podinfo-deploy:latest - name: Publish release - uses: goreleaser/goreleaser-action@v7 + uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0 with: version: latest args: release --skip=validate env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Attest release + uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0 + with: + subject-checksums: ./dist/podinfo_${{ steps.prep.outputs.VERSION }}_checksums.txt diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index a6d48d3..075d2e4 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -17,29 +17,29 @@ jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: ./.github/actions/runner-cleanup - name: Setup Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: 1.26.x cache-dependency-path: | **/go.sum **/go.mod - name: Setup kubectl - uses: azure/setup-kubectl@v4 + uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1 with: version: v${{ env.KUBERNETES_VERSION }} - name: Setup kubeconform uses: ./.github/actions/kubeconform - name: Setup Helm - uses: azure/setup-helm@v4 + uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1 with: version: v${{ env.HELM_VERSION }} - name: Setup CUE - uses: cue-lang/setup-cue@v1.0.1 + uses: cue-lang/setup-cue@a93fa358375740cd8b0078f76355512b9208acb1 # v1.0.1 - name: Setup Timoni - uses: stefanprodan/timoni/actions/setup@v0.26.0 + uses: stefanprodan/timoni/actions/setup@c68e33a34f17c7ca93c7fc6717d61a14819276dc # v0.26.0 - name: Run unit tests run: make test - name: Validate Helm chart