diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 18c4d24..dd38574 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -11,7 +11,11 @@ updates: dependency-type: "development" prod-dependencies: dependency-type: "production" + cooldown: + default-days: 7 - package-ecosystem: github-actions directory: "/" schedule: interval: "weekly" + cooldown: + default-days: 7 diff --git a/.github/workflows/build-main.yml b/.github/workflows/build-main.yml index 905809d..a4b9a27 100644 --- a/.github/workflows/build-main.yml +++ b/.github/workflows/build-main.yml @@ -6,17 +6,21 @@ on: env: IMAGE_NAME: preflight-trigger - + +permissions: {} + jobs: build-main: name: Build and push main snapshot images + permissions: + contents: read strategy: matrix: architecture: [amd64] platform: [linux] runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false # Get tags and all history in order to find latest tag in later step @@ -27,14 +31,14 @@ jobs: run: echo "RELEASE_TAG=$(git describe --abbrev=0 --tags)" >> "${GITHUB_ENV}" - name: set short sha - run: echo SHA_SHORT=$(git rev-parse --short HEAD) >> $GITHUB_ENV + run: echo "SHA_SHORT=$(git rev-parse --short HEAD)" >> "${GITHUB_ENV}" - name: Set up QEMU - uses: docker/setup-qemu-action@v4 + uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0 - name: Build Image id: build-image - uses: redhat-actions/buildah-build@v2 + uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2.13 with: image: ${{ secrets.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }} # TODO: If we end up releasing for other architectures we'll need the below @@ -50,7 +54,7 @@ jobs: - name: Push Image id: push-image - uses: redhat-actions/push-to-registry@v2 + uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2.8 with: image: ${{ env.IMAGE_NAME }} # TODO: If we end up releasing for other architectures we'll need the below @@ -61,23 +65,30 @@ jobs: password: ${{ secrets.REGISTRY_PASSWORD }} - name: Print image url - run: echo "Image pushed to ${{ steps.push-image.outputs.registry-paths }}" + run: echo "Image pushed to ${REGISTRY_PATHS}" + env: + REGISTRY_PATHS: ${{ steps.push-image.outputs.registry-paths }} outputs: imageName: ${{ env.IMAGE_NAME }} imageVersion: ${{ env.SHA_SHORT }} build-coverage: + permissions: + contents: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Install system deps run: 'sudo apt update && sudo apt install -y libgpgme-dev libbtrfs-dev libdevmapper-dev' - name: Set up Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: + cache: false go-version-file: go.mod - name: Tidy diff --git a/.github/workflows/build-release.yml b/.github/workflows/build-release.yml index 50f67c9..387c157 100644 --- a/.github/workflows/build-release.yml +++ b/.github/workflows/build-release.yml @@ -10,25 +10,32 @@ on: env: IMAGE_NAME: preflight-trigger +permissions: {} + jobs: build-release: name: Build and push tag images + permissions: + contents: read strategy: matrix: architecture: [amd64] platform: [linux] runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false + - name: Set Env Tags - run: echo RELEASE_TAG=$(echo $GITHUB_REF | cut -d '/' -f 3) >> $GITHUB_ENV + run: echo "RELEASE_TAG=$(echo "${GITHUB_REF}" | cut -d '/' -f 3)" >> "${GITHUB_ENV}" - name: Set up QEMU - uses: docker/setup-qemu-action@v4 + uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0 - name: Build Image id: build-image - uses: redhat-actions/buildah-build@v2 + uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2.13 with: image: ${{ secrets.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }} # TODO: If we end up releasing for other architectures we'll need the below @@ -43,7 +50,7 @@ jobs: - name: Push Image id: push-image - uses: redhat-actions/push-to-registry@v2 + uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2.8 with: image: ${{ env.IMAGE_NAME }} # TODO: If we end up releasing for other architectures we'll need the below @@ -54,7 +61,9 @@ jobs: password: ${{ secrets.REGISTRY_PASSWORD }} - name: Print image url - run: echo "Image pushed to ${{ steps.push-image.outputs.registry-paths }}" + run: echo "Image pushed to ${REGISTRY_PATHS}" + env: + REGISTRY_PATHS: ${{ steps.push-image.outputs.registry-paths }} outputs: imageName: ${{ env.IMAGE_NAME }} diff --git a/.github/workflows/dependabot.yml b/.github/workflows/dependabot.yml index 0491c4f..b7bfa8d 100644 --- a/.github/workflows/dependabot.yml +++ b/.github/workflows/dependabot.yml @@ -9,6 +9,9 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false + - name: 'Dependency Review' - uses: actions/dependency-review-action@v5 + uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0 diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index 74e5f15..e03e6b1 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -6,18 +6,25 @@ on: - main - release-* +permissions: {} + jobs: build: + permissions: + contents: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Install system deps run: 'sudo apt update && sudo apt install -y libgpgme-dev libbtrfs-dev libdevmapper-dev' - name: Set up Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: + cache: false go-version-file: go.mod - name: Tidy