diff --git a/.github/dependabot.yml b/.github/dependabot.yml index d31508a9fb99..cc4c64085c00 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -31,3 +31,8 @@ updates: labels: - "dependencies" - "ci/skip-test" # No need to run tests on github actions updates + + - package-ecosystem: docker + directory: /tools/postgres + schedule: + interval: daily diff --git a/.github/workflows/auto-backport.yaml b/.github/workflows/auto-backport.yaml index 2d3a083f2e8e..bc965c1e4ae1 100644 --- a/.github/workflows/auto-backport.yaml +++ b/.github/workflows/auto-backport.yaml @@ -6,6 +6,8 @@ env: PREDEFINED_GLOBS: ".github/**/*,.circleci/**/*,Makefile,mk/**/*,tools/**/*,.golangci.yml,.kube-linter.yaml" LABEL_TO_ADD: backport NO_BACKPORT_AUTOLABEL: no-backport-autolabel +permissions: + contents: read jobs: backport_label: runs-on: ubuntu-latest @@ -13,7 +15,7 @@ jobs: issues: write steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 - name: Check diff and add label diff --git a/.github/workflows/blackbox-tests.yaml b/.github/workflows/blackbox-tests.yaml index 96b08908e41e..ce2a92c16c34 100644 --- a/.github/workflows/blackbox-tests.yaml +++ b/.github/workflows/blackbox-tests.yaml @@ -3,13 +3,15 @@ on: workflow_dispatch: env: CGO_ENABLED: "0" +permissions: + contents: read jobs: blackbox-tests: runs-on: ubuntu-20.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: "Set up Go" - uses: actions/setup-go@v5 + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version-file: go.mod - name: "Install dependencies" diff --git a/.github/workflows/build-test-distribute.yaml b/.github/workflows/build-test-distribute.yaml index 862c080a9043..64e20a81e83e 100644 --- a/.github/workflows/build-test-distribute.yaml +++ b/.github/workflows/build-test-distribute.yaml @@ -19,7 +19,7 @@ jobs: check: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 - name: "Check if should run on all arch/os combinations" @@ -27,13 +27,13 @@ jobs: run: | echo 'RUN_FULL_MATRIX=true' > .run-full-matrix echo 'RUN_FULL_MATRIX=true' >> $GITHUB_ENV - - uses: actions/setup-go@v5 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version-file: go.mod cache-dependency-path: | .run-full-matrix go.sum - - uses: actions/cache@v3 + - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: path: | ${{ env.CI_TOOLS_DIR }} @@ -49,7 +49,7 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 - name: "Check if should run on all arch/os combinations" @@ -57,13 +57,13 @@ jobs: run: | echo 'RUN_FULL_MATRIX=true' > .run-full-matrix echo 'RUN_FULL_MATRIX=true' >> $GITHUB_ENV - - uses: actions/setup-go@v5 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version-file: go.mod cache-dependency-path: | .run-full-matrix go.sum - - uses: actions/cache@v3 + - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: path: | ${{ env.CI_TOOLS_DIR }} @@ -120,7 +120,7 @@ jobs: runs-on: ubuntu-latest if: ${{ ! contains(github.event.pull_request.labels.*.name, 'ci/skip-test') }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 - name: "Check if should run on all arch/os combinations" @@ -128,13 +128,13 @@ jobs: run: | echo 'RUN_FULL_MATRIX=true' > .run-full-matrix echo 'RUN_FULL_MATRIX=true' >> $GITHUB_ENV - - uses: actions/setup-go@v5 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version-file: go.mod cache-dependency-path: | .run-full-matrix go.sum - - uses: actions/cache@v3 + - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: path: | ${{ env.CI_TOOLS_DIR }} @@ -157,7 +157,7 @@ jobs: run: | make test TEST_REPORTS=1 - name: Save test reports - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: name: test-reports path: build/reports @@ -173,7 +173,7 @@ jobs: exit 1 # for some reason, GH Action will always trigger a downstream job even if there are errors in an dependent job # so we manually check it here. An example could be found here: https://github.com/kumahq/kuma/actions/runs/7044980149 - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 - name: "Check if should run on all arch/os combinations" @@ -194,13 +194,13 @@ jobs: - name: Install dependencies for cross builds run: | sudo apt-get update; sudo apt-get install -y qemu-user-static binfmt-support - - uses: actions/setup-go@v5 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version-file: go.mod cache-dependency-path: | .run-full-matrix go.sum - - uses: actions/cache@v3 + - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: path: | ${{ env.CI_TOOLS_DIR }} @@ -264,7 +264,7 @@ jobs: PKG_FILENAME=$(find .cr-release-packages -type f -printf "%f\n") echo "filename=${PKG_FILENAME}" >> $GITHUB_OUTPUT - name: Upload packaged chart - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: name: ${{ steps.package-helm.outputs.filename }} path: .cr-release-packages/${{ steps.package-helm.outputs.filename }} diff --git a/.github/workflows/check.yaml b/.github/workflows/check.yaml index d2576ee14b59..dbb2875149d0 100644 --- a/.github/workflows/check.yaml +++ b/.github/workflows/check.yaml @@ -21,10 +21,10 @@ jobs: name: "Check PR title" runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 - - uses: actions/setup-node@v4 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 - run: npm install -g @commitlint/cli @commitlint/config-conventional - name: "Check PR title" # Inject as env variable to escape properly diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index 154e1ddf9eb5..71a456a74f23 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -15,18 +15,18 @@ jobs: matrix: language: ['go'] steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v5 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version-file: go.mod - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 with: config-file: ./.github/codeql/codeql-config.yml languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index e5783d1df3ce..cf4b1ce45203 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -43,12 +43,12 @@ jobs: echo 'RUN_FULL_MATRIX=true' >> $GITHUB_ENV - name: "GitHub Actions: check out code" if: steps.eval-params.outputs.run-type == 'github' - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 - name: "GitHub Actions: setup go" if: steps.eval-params.outputs.run-type == 'github' - uses: actions/setup-go@v5 + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version-file: go.mod cache-dependency-path: | @@ -56,7 +56,7 @@ jobs: go.sum - name: "GitHub Actions: set up cache" if: steps.eval-params.outputs.run-type == 'github' - uses: actions/cache@v3 + uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: path: | ${{ env.CI_TOOLS_DIR }} @@ -160,7 +160,7 @@ jobs: - name: "CircleCI: make circleci parameters" if: steps.eval-params.outputs.run-type == 'circleci' id: circleci-gen-params - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: script: | let circleCIParams = { diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml index 21bcc125848b..474bac13ffc7 100644 --- a/.github/workflows/golangci-lint.yml +++ b/.github/workflows/golangci-lint.yml @@ -12,12 +12,12 @@ jobs: name: lint runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v5 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: cache: false go-version-file: go.mod - - uses: golangci/golangci-lint-action@v3 + - uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0 with: args: --fix=false --verbose version: v1.54.1 diff --git a/.github/workflows/pr-comments.yaml b/.github/workflows/pr-comments.yaml index f445092ea59a..ef1e16fcb5a8 100644 --- a/.github/workflows/pr-comments.yaml +++ b/.github/workflows/pr-comments.yaml @@ -6,8 +6,12 @@ env: GH_USER: "github-actions[bot]" GH_EMAIL: "<41898282+github-actions[bot]@users.noreply.github.com>" CI_TOOLS_DIR: /home/runner/work/kuma/kuma/.ci_tools +permissions: + contents: read jobs: pr_comments: + permissions: + contents: write # for Git to git push if: github.event.issue.pull_request != '' && (contains(github.event.comment.body, '/format') || contains(github.event.comment.body, '/golden_files')) runs-on: ubuntu-latest steps: @@ -35,17 +39,17 @@ jobs: echo "REPO=$(gh pr view ${{ github.event.issue.number }} --repo ${{ github.repository }} --json headRepository,headRepositoryOwner --jq '[.headRepositoryOwner.login,.headRepository.name] | join("/")')" >> $GITHUB_ENV env: GITHUB_TOKEN: ${{ steps.github-app-token.outputs.token }} - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 repository: ${{ env.REPO }} ref: ${{ env.BRANCH_NAME }} env: GITHUB_TOKEN: ${{ steps.github-app-token.outputs.token }} - - uses: actions/setup-go@v5 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version-file: go.mod - - uses: actions/cache@v3 + - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: path: | ${{ env.CI_TOOLS_DIR }} diff --git a/.github/workflows/pr-merged.yaml b/.github/workflows/pr-merged.yaml index 4dc3aed1b853..bb7470473a15 100644 --- a/.github/workflows/pr-merged.yaml +++ b/.github/workflows/pr-merged.yaml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - name: "Send repository dispatch event" - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: github-token: ${{ secrets.NOTIFY_BOT_PAT_TOKEN }} script: | diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index d71caa71c30d..72aa72dd88f1 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -29,10 +29,10 @@ jobs: release: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: "master" - - uses: actions/setup-go@v5 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version-file: go.mod - name: install-kuma-ci-tools @@ -91,7 +91,7 @@ jobs: run: | release-tool changelog.md --repo ${{ github.repository }} > CHANGELOG.md - name: "Create Pull Request" - uses: peter-evans/create-pull-request@v5 + uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2 with: commit-message: "docs(CHANGELOG.md): updating changelog and version files" signoff: true diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 000000000000..233ba5684416 --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,62 @@ +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '35 3 * * 1' + push: + branches: ["master"] +# Declare default permissions as read only. +permissions: read-all +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + # Uncomment the permissions below if installing in a private repository. + # contents: read + # actions: read + steps: + - name: "Checkout code" + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 + with: + persist-credentials: false + - name: "Run analysis" + uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecard on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4 + with: + sarif_file: results.sarif diff --git a/.github/workflows/update-docs.yaml b/.github/workflows/update-docs.yaml index ef691dda02c9..ff3a6a024c53 100644 --- a/.github/workflows/update-docs.yaml +++ b/.github/workflows/update-docs.yaml @@ -16,16 +16,18 @@ env: OUTPUT_PATH: app/assets VERSION_FILE: app/_data/versions.yml EDITION: kuma +permissions: + contents: read jobs: generate-docs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 ref: master path: repo - - uses: actions/setup-go@v5 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version-file: repo/go.mod - name: "sync docs" # loop over all the branches and generate the docs @@ -46,7 +48,7 @@ jobs: cp versions.yml ../docs-build/raw/ fi done - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: ${{ env.DOCS_REPO }} path: docs @@ -63,7 +65,7 @@ jobs: app_id: ${{ secrets.APP_ID }} private_key: ${{ secrets.APP_PRIVATE_KEY }} - name: "Create Pull Request" - uses: peter-evans/create-pull-request@v5 + uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2 with: path: docs commit-message: "chore(deps): update docs from repo source" diff --git a/.github/workflows/update-insecure-dependencies.yaml b/.github/workflows/update-insecure-dependencies.yaml index 954ac81d2ccc..2d5113dc0f1b 100644 --- a/.github/workflows/update-insecure-dependencies.yaml +++ b/.github/workflows/update-insecure-dependencies.yaml @@ -35,10 +35,10 @@ jobs: with: app_id: ${{ secrets.APP_ID }} private_key: ${{ secrets.APP_PRIVATE_KEY }} - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ matrix.branch }} - - uses: actions/setup-go@v5 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version-file: go.mod - name: "Install tools" @@ -63,7 +63,7 @@ jobs: echo "$SCAN_OUTPUT_AFTER" >> $GITHUB_ENV echo "EOF" >> $GITHUB_ENV - name: "Create Pull Request" - uses: peter-evans/create-pull-request@v5 + uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2 with: commit-message: "chore(deps): security update" signoff: true diff --git a/tools/postgres/Dockerfile b/tools/postgres/Dockerfile index 2e07ee89f056..28da21cb7e08 100644 --- a/tools/postgres/Dockerfile +++ b/tools/postgres/Dockerfile @@ -2,7 +2,7 @@ ARG MODE # With test-containers building the same image many times have race conditions when deleting the images # We therefore add a unique ID just to make images different ARG UNIQUEID -FROM postgres:latest AS pg-tls +FROM postgres:latest@sha256:e2135391c55eb2ecabaaaeef4a9538bb8915c1980953fb6ce41a2d6d3e4b5695 AS pg-tls COPY pg_hba.conf /var/lib/postgresql/pg_hba.conf COPY certs/rootCA.crt /var/lib/postgresql/rootCA.crt COPY certs/postgres.server.crt /var/lib/postgresql/postgres.server.crt @@ -10,7 +10,7 @@ COPY certs/postgres.server.key /var/lib/postgresql/postgres.server.key RUN chown -R postgres /var/lib/postgresql && \ chmod 600 /var/lib/postgresql/postgres.server.key CMD ["-c", "ssl=on", "-c", "max_connections=10000", "-c", "ssl_cert_file=/var/lib/postgresql/postgres.server.crt", "-c", "ssl_key_file=/var/lib/postgresql/postgres.server.key", "-c", "ssl_ca_file=/var/lib/postgresql/rootCA.crt", "-c", "hba_file=/var/lib/postgresql/pg_hba.conf"] -FROM postgres:latest AS pg-standard +FROM postgres:latest@sha256:e2135391c55eb2ecabaaaeef4a9538bb8915c1980953fb6ce41a2d6d3e4b5695 AS pg-standard CMD ["-c", "max_connections=10000"] FROM pg-${MODE}