CI: harden GitHub Actions workflows security#200
CI: harden GitHub Actions workflows security#200vitorfloriano wants to merge 1 commit intokubernetes-sigs:mainfrom
Conversation
✅ Deploy Preview for node-readiness-controller canceled.
|
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: vitorfloriano The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
k8s-ci-robot
added
size/M
vitorfloriano
force-pushed
the
ci-gh-actions-security-hardening
branch
from
4e77f8a to
043ee66
Compare
ajaysundark
left a comment
ajaysundark
left a comment
There was a problem hiding this comment.
@vitorfloriano Thanks for the PR! I support the security hardening changes as they align with Kubernetes policies. However, I'd like to discuss the addition of the new zizmor tool with other maintainers before adding it to CI. Could we split this PR or hold on the tool addition for now?"
|
|
||
| - name: Run zizmor | ||
| uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 | ||
| with: |
There was a problem hiding this comment.
what are the implications of doing this?
I'm not familiar with the tool. Could you clarify this configuration?
There was a problem hiding this comment.
I explain the chosen config in the description of #210
vitorfloriano
force-pushed
the
ci-gh-actions-security-hardening
branch
from
043ee66 to
c735160
Compare
k8s-ci-robot
added
size/S
vitorfloriano
changed the title
|
Hi @ajaysundark I split the PR in two, as suggested. See #210 |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | ||
| with: | ||
| fetch-depth: 0 | ||
| persist-credentials: false |
There was a problem hiding this comment.
question: will we have side-effects here, if we are setting this to false. Push will require some token I believe. Feel free to correct me here!
There was a problem hiding this comment.
For this one we should indeed persist the credentials. Fixed!
vitorfloriano
force-pushed
the
ci-gh-actions-security-hardening
branch
from
c735160 to
f3f826a
Compare
k8s-ci-robot
added
size/M
|
|
||
| - name: Install govulncheck | ||
| run: go install golang.org/x/vuln/cmd/govulncheck@v1.1.4 | ||
| run: go install golang.org/x/vuln/cmd/govulncheck@d1f380186385b4f64e00313f31743df8e4b89a77 # v1.1.4 |
There was a problem hiding this comment.
@AvineshTripathi In this second pass I also amended the commit to add this. PTAL.
4 participants
This PR hardens the security on GitHub Actions workflows.
Summary of changes:
persist-credentials: falseto checkout action to remediate artipacked.{}(none) and grant necessary permissions in job-level, as needed, to remediate excessive permissions.govulncheckinstall to commit hash.