diff --git a/.github/workflows/build-push.yaml b/.github/workflows/build-push.yaml index af4d3b0b5..1598335f9 100644 --- a/.github/workflows/build-push.yaml +++ b/.github/workflows/build-push.yaml @@ -31,7 +31,7 @@ jobs: contents: read steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false @@ -55,7 +55,7 @@ jobs: buildah push "${OPERATOR_IMG}-${TARGETARCH}" "docker-archive:/tmp/image-${TARGETARCH}.tar:${OPERATOR_IMG}-${TARGETARCH}" - name: Upload image artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: image-${{ matrix.targetarch }}-${{ github.run_id }} path: /tmp/image-${{ matrix.targetarch }}.tar @@ -67,7 +67,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false @@ -99,18 +99,18 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false - name: Download AMD64 image - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: image-amd64-${{ github.run_id }} path: /tmp - name: Download ARM64 image - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: image-arm64-${{ github.run_id }} path: /tmp diff --git a/.github/workflows/console.yaml b/.github/workflows/console.yaml index 739dbe317..0c1d455e2 100644 --- a/.github/workflows/console.yaml +++ b/.github/workflows/console.yaml @@ -8,12 +8,17 @@ on: paths: - "console/" +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Build the console container run: | make console-build diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index d0049874b..56d501ee8 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -16,12 +16,12 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false - name: Set up Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version-file: go.mod diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index f6fd023aa..936bfe644 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -10,12 +10,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false - name: Setup go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version-file: go.mod diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml new file mode 100644 index 000000000..1d4c1bad4 --- /dev/null +++ b/.github/workflows/zizmor.yaml @@ -0,0 +1,32 @@ +name: Zizmor + +on: + push: + branches: ["main"] + paths: + - ".github/workflows/**" + pull_request: + branches: ["main"] + paths: + - ".github/workflows/**" + +permissions: + contents: read + security-events: write + +jobs: + zizmor: + name: Zizmor latest + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false + + - name: Run zizmor + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 + with: + sarif-upload: true