Harden usage of GitHub Actions

[caxu-rh]

Summary by CodeRabbit

• Chores
  • Enhanced CI/CD security by pinning GitHub Actions to specific commit hashes and implementing stricter job permissions across build workflows.
  • Added a 7-day cooldown period for dependency updates to reduce update frequency and improve stability.
  • Improved workflow logging and environment variable handling for better build transparency.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 4a55ae48-f71a-48bf-9776-f7e5e7421681

📥 Commits

Reviewing files that changed from the base of the PR and between dd72437 and 61462aa.

📒 Files selected for processing (5)

• .github/dependabot.yml
• .github/workflows/build-main.yml
• .github/workflows/build-release.yml
• .github/workflows/dependabot.yml
• .github/workflows/go.yml

---

Walkthrough

Adds a 7-day cooldown to both Dependabot ecosystems in .github/dependabot.yml, restricts GitHub token permissions in build-release.yml and go.yml, and pins all GitHub Actions uses: references to specific commit SHAs across four workflow files. Also adds a SHA_SHORT env step, disables setup-go caching, sets persist-credentials: false, and routes push-image output through a REGISTRY_PATHS environment variable.

Changes

CI/CD Hardening

Layer / File(s)	Summary
Dependabot cooldown config .github/dependabot.yml	Adds cooldown.default-days: 7 to both the gomod and github-actions update entries.
Workflow permission scoping .github/workflows/build-release.yml, .github/workflows/go.yml	Adds explicit permissions: {} at workflow level and narrows the main job to contents: read in both build-release.yml and go.yml.
Action SHA pinning and workflow behavior updates .github/workflows/build-main.yml, .github/workflows/build-release.yml, .github/workflows/dependabot.yml, .github/workflows/go.yml	Replaces all floating version tags (@v2, @v4, @v5, @v6) with commit-SHA–pinned references across all four workflow files. Adds a SHA_SHORT env-writing step in build-main, disables setup-go action caching (cache: false), adds persist-credentials: false to checkout steps, and changes push-image output logging to use a REGISTRY_PATHS environment variable instead of inline step-output interpolation.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 6 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Test Structure And Quality	⚠️ Warning	All 6 assertions in version_test.go lack meaningful failure messages. For example, Expect(Version.Version).To(Equal(ldflagVersionOverride)) should include a message like "failed to set version fr...	Add explicit failure messages to all 6 Expect assertions. Example: Expect(Version.Version).To(Equal(ldflagVersionOverride), "version should be set from ldflags")

✅ Passed checks (6 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Harden usage of GitHub Actions' clearly and concisely summarizes the main changes across all modified workflow files, which involve pinning GitHub Actions to specific commit SHAs and tightening job permissions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR includes Ginkgo tests (version_test.go, version_suite_test.go) with deterministic test names: no dynamic content like generated IDs, timestamps, node/pod names, IP addresses, or interpolation de...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch gha-hardening

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}