From 094b27a5a5d91d0dcf6846f12aa860744351bde7 Mon Sep 17 00:00:00 2001
From: Charly Molter <charly.molter@konghq.com>
Date: Tue, 9 Jan 2024 18:22:19 +0100
Subject: [PATCH] ci(github): run security actions on schedule and fix issues
 (#8787)

The goal is to minimize the number of runners required to reduce
queueing on github workers

Signed-off-by: Charly Molter <charly.molter@konghq.com>
---
 .github/workflows/build-test-distribute.yaml  |  8 ++++---
 .github/workflows/codeql.yaml                 |  5 ++--
 .github/workflows/golangci-lint.yml           | 23 -------------------
 .github/workflows/scorecard.yml               |  5 ++--
 .../update-insecure-dependencies.yaml         | 15 ++++++------
 5 files changed, 18 insertions(+), 38 deletions(-)
 delete mode 100644 .github/workflows/golangci-lint.yml

diff --git a/.github/workflows/build-test-distribute.yaml b/.github/workflows/build-test-distribute.yaml
index e8df16d8797b..c0acd688ebbb 100644
--- a/.github/workflows/build-test-distribute.yaml
+++ b/.github/workflows/build-test-distribute.yaml
@@ -30,9 +30,7 @@ jobs:
       - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version-file: go.mod
-          cache-dependency-path: |
-            .run-full-matrix
-            go.sum
+          cache: false
       - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
         with:
           path: |
@@ -42,6 +40,10 @@ jobs:
             ${{ runner.os }}-${{ runner.arch }}-devtools
       - run: |
           make dev/tools
+      - uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0
+        with:
+          args: --fix=false --verbose
+          version: v1.54.1
       - run: |
           make clean
       - run: |
diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
index b278c9d847aa..a6b76f579eb6 100644
--- a/.github/workflows/codeql.yaml
+++ b/.github/workflows/codeql.yaml
@@ -1,7 +1,8 @@
 name: "CodeQL"
 on:
-  push:
-    branches: ["master"]
+  workflow_dispatch: {}
+  schedule:
+    - cron: '35 3 * * *'
 permissions:
   contents: read
 jobs:
diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
deleted file mode 100644
index 474bac13ffc7..000000000000
--- a/.github/workflows/golangci-lint.yml
+++ /dev/null
@@ -1,23 +0,0 @@
-name: Golangci-lint
-on:
-  push:
-    branches:
-      - master
-      - release-*
-  pull_request:
-permissions:
-  contents: read
-jobs:
-  golangci:
-    name: lint
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
-        with:
-          cache: false
-          go-version-file: go.mod
-      - uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0
-        with:
-          args: --fix=false --verbose
-          version: v1.54.1
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 233ba5684416..43d4e37b4e69 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -3,12 +3,11 @@ on:
   # For Branch-Protection check. Only the default branch is supported. See
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
   branch_protection_rule:
+  workflow_dispatch: {}
   # To guarantee Maintained check is occasionally updated. See
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
   schedule:
-    - cron: '35 3 * * 1'
-  push:
-    branches: ["master"]
+    - cron: '35 3 * * *'
 # Declare default permissions as read only.
 permissions: read-all
 jobs:
diff --git a/.github/workflows/update-insecure-dependencies.yaml b/.github/workflows/update-insecure-dependencies.yaml
index 2d5113dc0f1b..108281495956 100644
--- a/.github/workflows/update-insecure-dependencies.yaml
+++ b/.github/workflows/update-insecure-dependencies.yaml
@@ -3,6 +3,7 @@ on:
   workflow_dispatch: {}
   schedule:
     - cron: 0 3 * * *
+permissions: read-all
 jobs:
   build-matrix:
     runs-on: ubuntu-latest
@@ -29,12 +30,6 @@ jobs:
         uses: pierotofy/set-swap-space@49819abfb41bd9b44fb781159c033dba90353a7c
         with:
           swap-size-gb: 10
-      - name: Generate GitHub app token
-        id: github-app-token
-        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
-        with:
-          app_id: ${{ secrets.APP_ID }}
-          private_key: ${{ secrets.APP_PRIVATE_KEY }}
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           ref: ${{ matrix.branch }}
@@ -43,7 +38,7 @@ jobs:
           go-version-file: go.mod
       - name: "Install tools"
         run: |
-          go install github.com/google/osv-scanner/cmd/osv-scanner@v1
+          go install github.com/google/osv-scanner/cmd/osv-scanner@060799ca816dfa40afa05e48c895c0c9fd79b90b
       - name: "Prepare commit body - before"
         id: prepare_commit_body_before
         run: |
@@ -62,6 +57,12 @@ jobs:
           echo "SCAN_OUTPUT_AFTER<<EOF" >> $GITHUB_ENV
           echo "$SCAN_OUTPUT_AFTER" >> $GITHUB_ENV
           echo "EOF" >> $GITHUB_ENV
+      - name: Generate GitHub app token
+        id: github-app-token
+        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
+        with:
+          app_id: ${{ secrets.APP_ID }}
+          private_key: ${{ secrets.APP_PRIVATE_KEY }}
       - name: "Create Pull Request"
         uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2
         with: