From e2844c676ab6933c10b5fe62deb495127385ed7a Mon Sep 17 00:00:00 2001 From: "minder-by-stacklok[bot]" <165083860+github-actions[bot]@users.noreply.github.com> Date: Tue, 16 Apr 2024 06:40:41 +0000 Subject: [PATCH] Replace unpinned actions with pinned action --- .../build-binary-signed-ghat-malicious.yml | 5 +---- .github/workflows/build-binary-signed-ghat.yml | 4 +--- .github/workflows/build-binary-unsigned.yml | 4 +--- .../build-image-signed-cosign-malicious.yml | 14 +------------- .../build-image-signed-cosign-static-copied.yml | 15 ++------------- .../build-image-signed-cosign-static.yml | 15 ++------------- .github/workflows/build-image-signed-cosign.yml | 13 +------------ .../build-image-signed-ghat-malicious.yml | 10 ++-------- .../build-image-signed-ghat-static-copied.yml | 9 ++------- .../workflows/build-image-signed-ghat-static.yml | 9 ++------- .github/workflows/build-image-signed-ghat.yml | 9 ++------- 11 files changed, 17 insertions(+), 90 deletions(-) diff --git a/.github/workflows/build-binary-signed-ghat-malicious.yml b/.github/workflows/build-binary-signed-ghat-malicious.yml index 9076f011..9bf8e740 100644 --- a/.github/workflows/build-binary-signed-ghat-malicious.yml +++ b/.github/workflows/build-binary-signed-ghat-malicious.yml @@ -1,8 +1,6 @@ name: binary-signed-ghat-malicious - on: workflow_dispatch: - jobs: build: permissions: @@ -12,8 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out code - uses: actions/checkout@v4 - + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - name: The malicious step run: | echo "# This is a malicious update" >> app.py diff --git a/.github/workflows/build-binary-signed-ghat.yml b/.github/workflows/build-binary-signed-ghat.yml index e815acbc..7b216c33 100644 --- a/.github/workflows/build-binary-signed-ghat.yml +++ b/.github/workflows/build-binary-signed-ghat.yml @@ -1,8 +1,6 @@ name: binary-signed-ghat - on: workflow_dispatch: - jobs: build: permissions: @@ -12,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 # TODO: add that when we support artifacts other than containers # diff --git a/.github/workflows/build-binary-unsigned.yml b/.github/workflows/build-binary-unsigned.yml index db5b8ecf..117eb4bf 100644 --- a/.github/workflows/build-binary-unsigned.yml +++ b/.github/workflows/build-binary-unsigned.yml @@ -1,8 +1,6 @@ name: binary-unsigned - on: workflow_dispatch: - jobs: build: permissions: @@ -12,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 # TODO: add that when we support artifacts other than containers # diff --git a/.github/workflows/build-image-signed-cosign-malicious.yml b/.github/workflows/build-image-signed-cosign-malicious.yml index e4a27fd8..6ebe5648 100644 --- a/.github/workflows/build-image-signed-cosign-malicious.yml +++ b/.github/workflows/build-image-signed-cosign-malicious.yml @@ -1,47 +1,37 @@ name: image-signed-cosign(latest,daily)-malicious on: workflow_dispatch: - env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} - jobs: build: - runs-on: ubuntu-latest permissions: contents: read packages: write id-token: write - steps: - name: Checkout repository uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 - - name: The malicious step run: | echo "# This is a malicious update" >> app.py - - name: Install Cosign - uses: sigstore/cosign-installer@v3.3.0 - + uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0 - name: Setup Docker buildx uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf - - name: Log into registry ${{ env.REGISTRY }} uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Extract Docker metadata id: meta uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - - name: Build and push Docker image id: build-and-push uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a @@ -52,8 +42,6 @@ jobs: labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max - - - name: Sign the published Docker image env: DIGEST: ${{ steps.build-and-push.outputs.digest }} diff --git a/.github/workflows/build-image-signed-cosign-static-copied.yml b/.github/workflows/build-image-signed-cosign-static-copied.yml index 0532b2be..368e17f8 100644 --- a/.github/workflows/build-image-signed-cosign-static-copied.yml +++ b/.github/workflows/build-image-signed-cosign-static-copied.yml @@ -1,43 +1,34 @@ name: image-signed-cosign(static)-copied on: workflow_dispatch: - env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} - jobs: build: - runs-on: ubuntu-latest permissions: contents: read packages: write id-token: write - steps: - name: Checkout repository uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 - - name: Install Cosign - uses: sigstore/cosign-installer@v3.3.0 - + uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0 - name: Setup Docker buildx uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf - - name: Log into registry ${{ env.REGISTRY }} uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Extract Docker metadata id: meta uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - - name: Build and push Docker image id: build-and-push uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a @@ -45,9 +36,7 @@ jobs: push: true tags: ghcr.io/${{ github.repository }}:static context: . - file : Dockerfile.static - - + file: Dockerfile.static - name: Sign the published Docker image env: DIGEST: ${{ steps.build-and-push.outputs.digest }} diff --git a/.github/workflows/build-image-signed-cosign-static.yml b/.github/workflows/build-image-signed-cosign-static.yml index 90b9346c..26a7c3b2 100644 --- a/.github/workflows/build-image-signed-cosign-static.yml +++ b/.github/workflows/build-image-signed-cosign-static.yml @@ -1,43 +1,34 @@ name: image-signed-cosign(static) on: workflow_dispatch: - env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} - jobs: build: - runs-on: ubuntu-latest permissions: contents: read packages: write id-token: write - steps: - name: Checkout repository uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 - - name: Install Cosign - uses: sigstore/cosign-installer@v3.3.0 - + uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0 - name: Setup Docker buildx uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf - - name: Log into registry ${{ env.REGISTRY }} uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Extract Docker metadata id: meta uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - - name: Build and push Docker image id: build-and-push uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a @@ -45,9 +36,7 @@ jobs: push: true tags: ghcr.io/${{ github.repository }}:static context: . - file : Dockerfile.static - - + file: Dockerfile.static - name: Sign the published Docker image env: DIGEST: ${{ steps.build-and-push.outputs.digest }} diff --git a/.github/workflows/build-image-signed-cosign.yml b/.github/workflows/build-image-signed-cosign.yml index 92202326..96f6e1f5 100644 --- a/.github/workflows/build-image-signed-cosign.yml +++ b/.github/workflows/build-image-signed-cosign.yml @@ -1,43 +1,34 @@ name: image-signed-cosign(latest,daily) on: workflow_dispatch: - env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} - jobs: build: - runs-on: ubuntu-latest permissions: contents: read packages: write id-token: write - steps: - name: Checkout repository uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 - - name: Install Cosign - uses: sigstore/cosign-installer@v3.3.0 - + uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0 - name: Setup Docker buildx uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf - - name: Log into registry ${{ env.REGISTRY }} uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Extract Docker metadata id: meta uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - - name: Build and push Docker image id: build-and-push uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a @@ -48,8 +39,6 @@ jobs: labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max - - - name: Sign the published Docker image env: DIGEST: ${{ steps.build-and-push.outputs.digest }} diff --git a/.github/workflows/build-image-signed-ghat-malicious.yml b/.github/workflows/build-image-signed-ghat-malicious.yml index 0921ea9c..8afaf6cb 100644 --- a/.github/workflows/build-image-signed-ghat-malicious.yml +++ b/.github/workflows/build-image-signed-ghat-malicious.yml @@ -1,7 +1,6 @@ name: image-signed-ghat(latest)-malicious on: workflow_dispatch: - jobs: build: runs-on: ubuntu-latest @@ -9,22 +8,18 @@ jobs: id-token: write packages: write contents: write - steps: - name: Checkout repository uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 - - name: The malicious step run: | make build-malicious-image - - name: Log into ghcr.io uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Build and push image id: push-step uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a @@ -32,10 +27,9 @@ jobs: push: true tags: ghcr.io/${{ github.repository }}:latest context: . - - name: Attest image - uses: github-early-access/generate-build-provenance@main + uses: github-early-access/generate-build-provenance@3bfd91bfee170b89e21d845828cbe80581656edd # main with: subject-name: ghcr.io/${{ github.repository }} subject-digest: ${{ steps.push-step.outputs.digest }} - push-to-registry: true \ No newline at end of file + push-to-registry: true diff --git a/.github/workflows/build-image-signed-ghat-static-copied.yml b/.github/workflows/build-image-signed-ghat-static-copied.yml index d03734e2..645590c8 100644 --- a/.github/workflows/build-image-signed-ghat-static-copied.yml +++ b/.github/workflows/build-image-signed-ghat-static-copied.yml @@ -1,7 +1,6 @@ name: image-signed-ghat(static)-copied on: workflow_dispatch: - jobs: build: runs-on: ubuntu-latest @@ -9,18 +8,15 @@ jobs: id-token: write packages: write contents: write - steps: - name: Checkout repository uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 - - name: Log into ghcr.io uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Build and push image id: push-step uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a @@ -28,10 +24,9 @@ jobs: push: true tags: ghcr.io/${{ github.repository }}:static context: . - file : Dockerfile.static - + file: Dockerfile.static - name: Attest image - uses: github-early-access/generate-build-provenance@main + uses: github-early-access/generate-build-provenance@3bfd91bfee170b89e21d845828cbe80581656edd # main with: subject-name: ghcr.io/${{ github.repository }} subject-digest: ${{ steps.push-step.outputs.digest }} diff --git a/.github/workflows/build-image-signed-ghat-static.yml b/.github/workflows/build-image-signed-ghat-static.yml index bfc3eac1..10c6b205 100644 --- a/.github/workflows/build-image-signed-ghat-static.yml +++ b/.github/workflows/build-image-signed-ghat-static.yml @@ -1,7 +1,6 @@ name: image-signed-ghat(static) on: workflow_dispatch: - jobs: build: runs-on: ubuntu-latest @@ -9,18 +8,15 @@ jobs: id-token: write packages: write contents: write - steps: - name: Checkout repository uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 - - name: Log into ghcr.io uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Build and push image id: push-step uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a @@ -28,10 +24,9 @@ jobs: push: true tags: ghcr.io/${{ github.repository }}:static context: . - file : Dockerfile.static - + file: Dockerfile.static - name: Attest image - uses: github-early-access/generate-build-provenance@main + uses: github-early-access/generate-build-provenance@3bfd91bfee170b89e21d845828cbe80581656edd # main with: subject-name: ghcr.io/${{ github.repository }} subject-digest: ${{ steps.push-step.outputs.digest }} diff --git a/.github/workflows/build-image-signed-ghat.yml b/.github/workflows/build-image-signed-ghat.yml index 0edc6b6d..9af364df 100644 --- a/.github/workflows/build-image-signed-ghat.yml +++ b/.github/workflows/build-image-signed-ghat.yml @@ -1,7 +1,6 @@ name: image-signed-ghat(latest) on: workflow_dispatch: - jobs: build: runs-on: ubuntu-latest @@ -9,18 +8,15 @@ jobs: id-token: write packages: write contents: write - steps: - name: Checkout repository uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 - - name: Log into ghcr.io uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Build and push image id: push-step uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a @@ -28,10 +24,9 @@ jobs: push: true tags: ghcr.io/${{ github.repository }}:latest context: . - - name: Attest image - uses: github-early-access/generate-build-provenance@main + uses: github-early-access/generate-build-provenance@3bfd91bfee170b89e21d845828cbe80581656edd # main with: subject-name: ghcr.io/${{ github.repository }} subject-digest: ${{ steps.push-step.outputs.digest }} - push-to-registry: true \ No newline at end of file + push-to-registry: true