diff --git a/.github/workflows/actionci.yml b/.github/workflows/actionci.yml new file mode 100644 index 0000000..6086cd4 --- /dev/null +++ b/.github/workflows/actionci.yml @@ -0,0 +1,22 @@ +name: Action CI + +on: + push: + tags-ignore: + - 'v*' + branches: + - "main" + pull_request: + workflow_call: + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +jobs: + actionci: + permissions: + contents: read + security-events: write + uses: smallstep/workflows/.github/workflows/actionci.yml@main + secrets: inherit diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml deleted file mode 100644 index 8e9248e..0000000 --- a/.github/workflows/actionlint.yml +++ /dev/null @@ -1,17 +0,0 @@ -name: Lint GitHub Actions workflows -on: - push: - workflow_call: - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} - cancel-in-progress: true - -permissions: - contents: write - pull-requests: write - -jobs: - actionlint: - uses: smallstep/workflows/.github/workflows/actionlint.yml@main - secrets: inherit diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f9006cb..78451da 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,8 +13,15 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: ci: + permissions: + actions: read + contents: read + security-events: write uses: smallstep/workflows/.github/workflows/goCI.yml@main with: only-latest-golang: false diff --git a/.github/workflows/code-scan-cron.yml b/.github/workflows/code-scan-cron.yml index e235db3..3905f02 100644 --- a/.github/workflows/code-scan-cron.yml +++ b/.github/workflows/code-scan-cron.yml @@ -2,6 +2,11 @@ on: schedule: - cron: '0 0 * * SUN' +permissions: + actions: read + contents: read + security-events: write + jobs: code-scan: uses: smallstep/workflows/.github/workflows/code-scan.yml@main diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 72481a6..86c97ab 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,6 +6,9 @@ on: tags: - "v*" # Push events to matching v*, i.e. v1.0, v20.15.10 +permissions: + contents: read + jobs: ci: uses: smallstep/step-kms-plugin/.github/workflows/ci.yml@main @@ -14,6 +17,8 @@ jobs: create_release: name: Create Release needs: ci + permissions: + contents: write runs-on: ubuntu-latest env: DOCKER_IMAGE: smallstep/step-kms-plugin @@ -30,9 +35,11 @@ jobs: steps: - name: Is Pre-release id: is_prerelease + env: + REF: ${{ github.ref }} run: | set +e - echo ${{ github.ref }} | grep "\-rc.*" + echo "${REF}" | grep "\-rc.*" OUT=$? if [ $OUT -eq 0 ]; then IS_PRERELEASE=true; else IS_PRERELEASE=false; fi echo "IS_PRERELEASE=${IS_PRERELEASE}" >> "${GITHUB_OUTPUT}" @@ -110,7 +117,7 @@ jobs: - name: Authenticate to Google Cloud if: ${{ needs.create_release.outputs.is_prerelease == 'false' }} id: gcloud-auth - uses: google-github-actions/auth@v3 + uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3 with: token_format: access_token workload_identity_provider: ${{ secrets.GOOGLE_CLOUD_WORKLOAD_IDENTITY_PROVIDER }} @@ -118,7 +125,7 @@ jobs: - name: Set up Google Cloud SDK if: ${{ needs.create_release.outputs.is_prerelease == 'false' }} - uses: google-github-actions/setup-gcloud@v3 + uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3 with: project_id: ${{ secrets.GOOGLE_CLOUD_PACKAGES_PROJECT_ID }} @@ -131,7 +138,7 @@ jobs: echo 'IS_PRERELEASE=${{ needs.create_release.outputs.is_prerelease }}' >> "${GITHUB_ENV}" - name: Run GoReleaser Pro - uses: goreleaser/goreleaser-action@v7.0.0 + uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0 with: distribution: goreleaser-pro version: v2.8.1 diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000..92a6146 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,12 @@ +rules: + unpinned-uses: + config: + policies: + "smallstep/*": ref-pin + secrets-inherit: + disable: true + ref-confusion: + disable: true + dangerous-triggers: + ignore: + - triage.yml