CI: harden GitHub Actions workflows security#200
Conversation
✅ Deploy Preview for node-readiness-controller canceled.
|
k8s-ci-robot
added
size/M
vitorfloriano
force-pushed
the
ci-gh-actions-security-hardening
branch
from
4e77f8a to
043ee66
Compare
ajaysundark
left a comment
ajaysundark
left a comment
There was a problem hiding this comment.
@vitorfloriano Thanks for the PR! I support the security hardening changes as they align with Kubernetes policies. However, I'd like to discuss the addition of the new zizmor tool with other maintainers before adding it to CI. Could we split this PR or hold on the tool addition for now?"
vitorfloriano
force-pushed
the
ci-gh-actions-security-hardening
branch
from
043ee66 to
c735160
Compare
k8s-ci-robot
added
size/S
vitorfloriano
changed the title
|
Hi @ajaysundark I split the PR in two, as suggested. See #210 |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | ||
| with: | ||
| fetch-depth: 0 | ||
| persist-credentials: false |
There was a problem hiding this comment.
question: will we have side-effects here, if we are setting this to false. Push will require some token I believe. Feel free to correct me here!
There was a problem hiding this comment.
For this one we should indeed persist the credentials. Fixed!
vitorfloriano
force-pushed
the
ci-gh-actions-security-hardening
branch
from
c735160 to
f3f826a
Compare
k8s-ci-robot
added
size/M
|
|
||
| - name: Install govulncheck | ||
| run: go install golang.org/x/vuln/cmd/govulncheck@v1.1.4 | ||
| run: go install golang.org/x/vuln/cmd/govulncheck@d1f380186385b4f64e00313f31743df8e4b89a77 # v1.1.4 |
There was a problem hiding this comment.
@AvineshTripathi In this second pass I also amended the commit to add this. PTAL.
|
/cc @AvineshTripathi |
|
/lgtm please get an ack from @AvineshTripathi as well before final approval. |
k8s-ci-robot
added
the
lgtm
|
/lgtm Thanks for the changes! |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ajaysundark, vitorfloriano The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
4 participants
This PR hardens the security on GitHub Actions workflows.
Summary of changes:
persist-credentials: falseto checkout action to remediate artipacked.{}(none) and grant necessary permissions in job-level, as needed, to remediate excessive permissions.govulncheckinstall to commit hash.