From e63f9378c91e9dc8ce938a52a80ef3ca5842a9ff Mon Sep 17 00:00:00 2001 From: Caleb Xu Date: Mon, 15 Jun 2026 11:15:28 -0400 Subject: [PATCH 1/6] Add cooldown on Dependabot updates Signed-off-by: Caleb Xu --- .github/dependabot.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 18c4d24..dd38574 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -11,7 +11,11 @@ updates: dependency-type: "development" prod-dependencies: dependency-type: "production" + cooldown: + default-days: 7 - package-ecosystem: github-actions directory: "/" schedule: interval: "weekly" + cooldown: + default-days: 7 From 6ff806b81261f454208ebde80f31fb3f6f67d985 Mon Sep 17 00:00:00 2001 From: Caleb Xu Date: Mon, 15 Jun 2026 11:18:18 -0400 Subject: [PATCH 2/6] Pin all referenced GHA actions Signed-off-by: Caleb Xu --- .github/workflows/build-main.yml | 12 ++++++------ .github/workflows/build-release.yml | 8 ++++---- .github/workflows/dependabot.yml | 4 ++-- .github/workflows/go.yml | 4 ++-- 4 files changed, 14 insertions(+), 14 deletions(-) diff --git a/.github/workflows/build-main.yml b/.github/workflows/build-main.yml index 905809d..6c6f004 100644 --- a/.github/workflows/build-main.yml +++ b/.github/workflows/build-main.yml @@ -16,7 +16,7 @@ jobs: platform: [linux] runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false # Get tags and all history in order to find latest tag in later step @@ -30,11 +30,11 @@ jobs: run: echo SHA_SHORT=$(git rev-parse --short HEAD) >> $GITHUB_ENV - name: Set up QEMU - uses: docker/setup-qemu-action@v4 + uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0 - name: Build Image id: build-image - uses: redhat-actions/buildah-build@v2 + uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2.13 with: image: ${{ secrets.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }} # TODO: If we end up releasing for other architectures we'll need the below @@ -50,7 +50,7 @@ jobs: - name: Push Image id: push-image - uses: redhat-actions/push-to-registry@v2 + uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2.8 with: image: ${{ env.IMAGE_NAME }} # TODO: If we end up releasing for other architectures we'll need the below @@ -70,13 +70,13 @@ jobs: build-coverage: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install system deps run: 'sudo apt update && sudo apt install -y libgpgme-dev libbtrfs-dev libdevmapper-dev' - name: Set up Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version-file: go.mod diff --git a/.github/workflows/build-release.yml b/.github/workflows/build-release.yml index 50f67c9..253b12f 100644 --- a/.github/workflows/build-release.yml +++ b/.github/workflows/build-release.yml @@ -19,16 +19,16 @@ jobs: platform: [linux] runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set Env Tags run: echo RELEASE_TAG=$(echo $GITHUB_REF | cut -d '/' -f 3) >> $GITHUB_ENV - name: Set up QEMU - uses: docker/setup-qemu-action@v4 + uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0 - name: Build Image id: build-image - uses: redhat-actions/buildah-build@v2 + uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2.13 with: image: ${{ secrets.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }} # TODO: If we end up releasing for other architectures we'll need the below @@ -43,7 +43,7 @@ jobs: - name: Push Image id: push-image - uses: redhat-actions/push-to-registry@v2 + uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2.8 with: image: ${{ env.IMAGE_NAME }} # TODO: If we end up releasing for other architectures we'll need the below diff --git a/.github/workflows/dependabot.yml b/.github/workflows/dependabot.yml index 0491c4f..5b5cfec 100644 --- a/.github/workflows/dependabot.yml +++ b/.github/workflows/dependabot.yml @@ -9,6 +9,6 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: 'Dependency Review' - uses: actions/dependency-review-action@v5 + uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0 diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index 74e5f15..7a5fb81 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -10,13 +10,13 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install system deps run: 'sudo apt update && sudo apt install -y libgpgme-dev libbtrfs-dev libdevmapper-dev' - name: Set up Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version-file: go.mod From 97a03c7ae97526e5c5d73d6e8a115ef97b8a311c Mon Sep 17 00:00:00 2001 From: Caleb Xu Date: Mon, 15 Jun 2026 11:23:49 -0400 Subject: [PATCH 3/6] Don't persist credentials when checking out repository Signed-off-by: Caleb Xu --- .github/workflows/build-main.yml | 2 ++ .github/workflows/build-release.yml | 3 +++ .github/workflows/dependabot.yml | 3 +++ .github/workflows/go.yml | 2 ++ 4 files changed, 10 insertions(+) diff --git a/.github/workflows/build-main.yml b/.github/workflows/build-main.yml index 6c6f004..cc87ac6 100644 --- a/.github/workflows/build-main.yml +++ b/.github/workflows/build-main.yml @@ -71,6 +71,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Install system deps run: 'sudo apt update && sudo apt install -y libgpgme-dev libbtrfs-dev libdevmapper-dev' diff --git a/.github/workflows/build-release.yml b/.github/workflows/build-release.yml index 253b12f..4a7b74f 100644 --- a/.github/workflows/build-release.yml +++ b/.github/workflows/build-release.yml @@ -20,6 +20,9 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false + - name: Set Env Tags run: echo RELEASE_TAG=$(echo $GITHUB_REF | cut -d '/' -f 3) >> $GITHUB_ENV diff --git a/.github/workflows/dependabot.yml b/.github/workflows/dependabot.yml index 5b5cfec..b7bfa8d 100644 --- a/.github/workflows/dependabot.yml +++ b/.github/workflows/dependabot.yml @@ -10,5 +10,8 @@ jobs: steps: - name: 'Checkout Repository' uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false + - name: 'Dependency Review' uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0 diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index 7a5fb81..325f21b 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -11,6 +11,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Install system deps run: 'sudo apt update && sudo apt install -y libgpgme-dev libbtrfs-dev libdevmapper-dev' From 8865303cd24483c348746bcd452ea28755641c04 Mon Sep 17 00:00:00 2001 From: Caleb Xu Date: Mon, 15 Jun 2026 11:24:52 -0400 Subject: [PATCH 4/6] Prevent gomod cache poisoning in setup-go Signed-off-by: Caleb Xu --- .github/workflows/build-main.yml | 1 + .github/workflows/go.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/workflows/build-main.yml b/.github/workflows/build-main.yml index cc87ac6..86e0c1d 100644 --- a/.github/workflows/build-main.yml +++ b/.github/workflows/build-main.yml @@ -80,6 +80,7 @@ jobs: - name: Set up Go uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: + cache: false go-version-file: go.mod - name: Tidy diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index 325f21b..1962196 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -20,6 +20,7 @@ jobs: - name: Set up Go uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: + cache: false go-version-file: go.mod - name: Tidy From 4fd26f42ee77c9991703b58fa3c064af0cfb2907 Mon Sep 17 00:00:00 2001 From: Caleb Xu Date: Mon, 15 Jun 2026 13:54:44 -0400 Subject: [PATCH 5/6] Add explicit permissions on all jobs Signed-off-by: Caleb Xu --- .github/workflows/build-main.yml | 8 +++++++- .github/workflows/build-release.yml | 4 ++++ .github/workflows/go.yml | 4 ++++ 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-main.yml b/.github/workflows/build-main.yml index 86e0c1d..ff4cfbe 100644 --- a/.github/workflows/build-main.yml +++ b/.github/workflows/build-main.yml @@ -6,10 +6,14 @@ on: env: IMAGE_NAME: preflight-trigger - + +permissions: {} + jobs: build-main: name: Build and push main snapshot images + permissions: + contents: read strategy: matrix: architecture: [amd64] @@ -68,6 +72,8 @@ jobs: imageVersion: ${{ env.SHA_SHORT }} build-coverage: + permissions: + contents: read runs-on: ubuntu-latest steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 diff --git a/.github/workflows/build-release.yml b/.github/workflows/build-release.yml index 4a7b74f..5ee00f3 100644 --- a/.github/workflows/build-release.yml +++ b/.github/workflows/build-release.yml @@ -10,9 +10,13 @@ on: env: IMAGE_NAME: preflight-trigger +permissions: {} + jobs: build-release: name: Build and push tag images + permissions: + contents: read strategy: matrix: architecture: [amd64] diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index 1962196..e03e6b1 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -6,8 +6,12 @@ on: - main - release-* +permissions: {} + jobs: build: + permissions: + contents: read runs-on: ubuntu-latest steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 From 61462aaf7a9837040adb84a16646d1232f30a0dc Mon Sep 17 00:00:00 2001 From: Caleb Xu Date: Mon, 15 Jun 2026 13:57:05 -0400 Subject: [PATCH 6/6] Harden against template injection attacks in GHA workflows Signed-off-by: Caleb Xu --- .github/workflows/build-main.yml | 6 ++++-- .github/workflows/build-release.yml | 6 ++++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-main.yml b/.github/workflows/build-main.yml index ff4cfbe..a4b9a27 100644 --- a/.github/workflows/build-main.yml +++ b/.github/workflows/build-main.yml @@ -31,7 +31,7 @@ jobs: run: echo "RELEASE_TAG=$(git describe --abbrev=0 --tags)" >> "${GITHUB_ENV}" - name: set short sha - run: echo SHA_SHORT=$(git rev-parse --short HEAD) >> $GITHUB_ENV + run: echo "SHA_SHORT=$(git rev-parse --short HEAD)" >> "${GITHUB_ENV}" - name: Set up QEMU uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0 @@ -65,7 +65,9 @@ jobs: password: ${{ secrets.REGISTRY_PASSWORD }} - name: Print image url - run: echo "Image pushed to ${{ steps.push-image.outputs.registry-paths }}" + run: echo "Image pushed to ${REGISTRY_PATHS}" + env: + REGISTRY_PATHS: ${{ steps.push-image.outputs.registry-paths }} outputs: imageName: ${{ env.IMAGE_NAME }} diff --git a/.github/workflows/build-release.yml b/.github/workflows/build-release.yml index 5ee00f3..387c157 100644 --- a/.github/workflows/build-release.yml +++ b/.github/workflows/build-release.yml @@ -28,7 +28,7 @@ jobs: persist-credentials: false - name: Set Env Tags - run: echo RELEASE_TAG=$(echo $GITHUB_REF | cut -d '/' -f 3) >> $GITHUB_ENV + run: echo "RELEASE_TAG=$(echo "${GITHUB_REF}" | cut -d '/' -f 3)" >> "${GITHUB_ENV}" - name: Set up QEMU uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0 @@ -61,7 +61,9 @@ jobs: password: ${{ secrets.REGISTRY_PASSWORD }} - name: Print image url - run: echo "Image pushed to ${{ steps.push-image.outputs.registry-paths }}" + run: echo "Image pushed to ${REGISTRY_PATHS}" + env: + REGISTRY_PATHS: ${{ steps.push-image.outputs.registry-paths }} outputs: imageName: ${{ env.IMAGE_NAME }}