Improve OpenSSF Scorecard results (#41)

Frawless · web-flow · commit bee85ab254c0 · 2026-06-12T14:03:48.000+02:00
* Pin actions via sha diggest instead of floating tags

Signed-off-by: Jakub Stejskal &lt;xstejs24@gmail.com&gt;

* Bump couple of versions and add scorecard workflow

Signed-off-by: Jakub Stejskal &lt;xstejs24@gmail.com&gt;

* Improve OpenSSF Scorecard reports

Signed-off-by: Jakub Stejskal &lt;xstejs24@gmail.com&gt;

---------

Signed-off-by: Jakub Stejskal &lt;xstejs24@gmail.com&gt;
diff --git a/.github/actionlint.yaml b/.github/actionlint.yaml
@@ -6,13 +6,9 @@ self-hosted-runner:
   # Labels of self-hosted runner in array of strings.
   # Add other runners if needed
   labels:
-    # container runners
-    - oracle-2cpu-8gb-arm64
-    - oracle-2cpu-8gb-x86_64
-    # VM runners
-    - oracle-vm-2cpu-8gb-x86-64
-    - oracle-vm-2cpu-8gb-arm64
-    - oracle-vm-4cpu-16gb-x86-64
-    - oracle-vm-4cpu-16gb-arm64
-    - oracle-vm-8cpu-32gb-x86-64
-    - oracle-vm-8cpu-32gb-arm64
+    - cncf-ubuntu-2-8-x86
+    - cncf-ubuntu-4-16-x86
+    - cncf-ubuntu-8-32-x86
+    - cncf-ubuntu-2-8-arm
+    - cncf-ubuntu-4-16-arm
+    - cncf-ubuntu-8-32-arm
diff --git a/.github/actions/build/build-binaries/action.yml b/.github/actions/build/build-binaries/action.yml
@@ -25,7 +25,7 @@ runs:
     # Common build steps
     #############################################################
     - name: Restore Maven cache
-      uses: actions/cache/restore@v5
+      uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
       with:
         path: ~/.m2/repository
         key: maven-${{ hashFiles('**/pom.xml') }}
@@ -111,7 +111,7 @@ runs:
     - name: Save Maven cache
       # Save maven cache only after pushes into default branch
       if: ${{ inputs.mainJavaBuild == 'true' && github.event_name == 'push' && github.ref_name == github.event.repository.default_branch }}
-      uses: actions/cache/save@v5
+      uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
       with:
         path: ~/.m2/repository
         key: maven-${{ hashFiles('**/pom.xml') }}
@@ -138,14 +138,14 @@ runs:
 
     - name: Upload artifact
       if: ${{ inputs.mainJavaBuild == 'true' }}
-      uses: actions/upload-artifact@v7
+      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
       with:
         name: binaries-${{ inputs.artifactSuffix }}.tar
         path: binaries-${{ inputs.artifactSuffix }}.tar
         retention-days: 7
 
     - name: Publish test results
-      uses: dorny/test-reporter@v3
+      uses: dorny/test-reporter@a43b3a5f7366b97d083190328d2c652e1a8b6aa2 # v3.0.0
       if: always() && inputs.clusterOperatorBuild != 'true'
       with:
         name: 'Unit & Integration tests'
diff --git a/.github/actions/build/build-containers/action.yml b/.github/actions/build/build-containers/action.yml
@@ -34,13 +34,13 @@ runs:
   steps:
     - name: Download binaries from this workflow
       if: ${{ inputs.buildRunId == '' }}
-      uses: actions/download-artifact@v7
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
       with:
         name: binaries-${{ inputs.artifactSuffix }}.tar
 
     - name: Download binaries from external build
       if: ${{ inputs.buildRunId != '' }}
-      uses: actions/download-artifact@v7
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
       with:
         name: binaries-${{ inputs.artifactSuffix }}.tar
         run-id: ${{ inputs.buildRunId }}
@@ -67,7 +67,7 @@ runs:
       run: "tar -cvpf containers-${{ inputs.artifactSuffix }}-${{ inputs.architecture }}.tar ${{ inputs.imagesLocation }}"
 
     - name: Upload containers artifact
-      uses: actions/upload-artifact@v7
+      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
       with:
         name: containers-${{ inputs.artifactSuffix }}-${{ inputs.architecture }}.tar
         path: containers-${{ inputs.artifactSuffix }}-${{ inputs.architecture }}.tar
diff --git a/.github/actions/build/deploy-java/action.yml b/.github/actions/build/deploy-java/action.yml
@@ -22,7 +22,7 @@ runs:
   using: "composite"
   steps:
     - name: Restore Maven cache
-      uses: actions/cache/restore@v5
+      uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
       with:
         path: ~/.m2/repository
         key: maven-${{ hashFiles('**/pom.xml') }}
diff --git a/.github/actions/build/publish-helm-chart/action.yml b/.github/actions/build/publish-helm-chart/action.yml
@@ -30,7 +30,7 @@ runs:
   using: "composite"
   steps:
     - name: Download release artifacts
-      uses: actions/download-artifact@v7
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
       with:
         name: release-${{ inputs.artifactSuffix }}-${{ inputs.releaseVersion }}.tar
         path: ./
diff --git a/.github/actions/build/push-containers/action.yml b/.github/actions/build/push-containers/action.yml
@@ -35,11 +35,11 @@ runs:
   using: "composite"
   steps:
     - name: Install Cosign
-      uses: sigstore/cosign-installer@v4.0.0
+      uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
 
     - name: Download container artifact
       if: ${{ inputs.buildRunId != '' }}
-      uses: actions/download-artifact@v7
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
       with:
         pattern: containers-${{ inputs.artifactSuffix }}*
         path: ./
@@ -49,7 +49,7 @@ runs:
 
     - name: Download container artifact
       if: ${{ inputs.buildRunId == '' }}
-      uses: actions/download-artifact@v7
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
       with:
         pattern: containers-${{ inputs.artifactSuffix }}*
         path: ./
@@ -144,7 +144,7 @@ runs:
       # The keyless signing doesn't work on pull_requests events so this part will be tested only during push events
       # It shouldn't affect the usage in Strimzi projects as images are always pushed and signed during push or workflow_dispatch events
       if: ${{ github.event_name != 'pull_request' }}
-      uses: actions/upload-artifact@v7
+      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
       with:
         name: SBOMs-${{ inputs.artifactSuffix }}-${{ inputs.containerTag }}.tar.gz
         path: sbom.tar.gz
diff --git a/.github/actions/build/release-artifacts/action.yml b/.github/actions/build/release-artifacts/action.yml
@@ -13,7 +13,7 @@ runs:
   using: "composite"
   steps:
     - name: Restore Maven cache
-      uses: actions/cache/restore@v5
+      uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
       with:
         path: ~/.m2/repository
         key: maven-${{ hashFiles('**/pom.xml') }}
@@ -37,7 +37,7 @@ runs:
           -exec tar -rvf release-${{ inputs.artifactSuffix }}-${{ inputs.releaseVersion }}.tar {} \;
 
     - name: Upload release artifacts
-      uses: actions/upload-artifact@v7
+      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
       with:
         name: release-${{ inputs.artifactSuffix }}-${{ inputs.releaseVersion }}.tar
         path: release-${{ inputs.artifactSuffix }}-${{ inputs.releaseVersion }}.tar
diff --git a/.github/actions/dependencies/install-ascii-doctor/action.yml b/.github/actions/dependencies/install-ascii-doctor/action.yml
@@ -11,7 +11,7 @@ runs:
   using: "composite"
   steps:
     - name: Set up Ruby
-      uses: ruby/setup-ruby@v1
+      uses: ruby/setup-ruby@12fd324f1d0b43274fdc8130f6980590a667c455 # v1.312.0
       with:
         ruby-version: ${{ inputs.rubyVersion }}
 
diff --git a/.github/actions/dependencies/install-docker/action.yml b/.github/actions/dependencies/install-docker/action.yml
@@ -9,12 +9,12 @@ runs:
       run: "docker --version"
 
     - name: Set up QEMU
-      uses: docker/setup-qemu-action@v4
+      uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0
       with:
         platforms: all
 
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v4
+      uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
       with:
         platforms: linux/amd64,linux/arm64,linux/ppc64le,linux/s390x
         driver: docker
diff --git a/.github/actions/dependencies/install-helm/setup-helm.sh b/.github/actions/dependencies/install-helm/setup-helm.sh
@@ -13,7 +13,7 @@ function install_helm3 {
     fi
 
     export HELM_INSTALL_DIR=/usr/bin
-    curl https://raw.githubusercontent.com/kubernetes/helm/master/scripts/get > get_helm.sh
+    curl https://raw.githubusercontent.com/helm/helm/06468084e85c244c712834933d25ea232a4c2093/scripts/get > get_helm.sh # v4.2.0
     # we need to modify the script with a different path because on the Azure pipelines the HELM_INSTALL_DIR env var is not honoured
     sed -i 's#/usr/local/bin#/usr/bin#g' get_helm.sh
     chmod 700 get_helm.sh
diff --git a/.github/actions/dependencies/setup-java/action.yml b/.github/actions/dependencies/setup-java/action.yml
@@ -19,11 +19,11 @@ runs:
   using: "composite"
   steps:
     - name: Set up Maven
-      uses: stCarolas/setup-maven@v5.1
+      uses: stCarolas/setup-maven@12eb41b233df95d49b0c11fc1b5bc8312e5d4ce0 # v5.1
       with:
         maven-version: ${{ inputs.mavenVersion }}
 
-    - uses: actions/setup-java@v5
+    - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
       with:
         distribution: ${{ inputs.javaDistro }}
         java-version: ${{ inputs.javaVersion }}
diff --git a/.github/actions/dependencies/setup-kind/action.yml b/.github/actions/dependencies/setup-kind/action.yml
@@ -32,7 +32,7 @@ runs:
   steps:
     - name: Cache registry Docker image
       id: cache-registry
-      uses: actions/cache@v5
+      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
       with:
         path: /tmp/registry-image-${{ inputs.architecture }}.tar
         key: registry-image
@@ -52,7 +52,7 @@ runs:
 
     - name: Cache cloud-provider-kind container image
       id: cache-cloud-provider-kind
-      uses: actions/cache@v5
+      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
       with:
         path: /tmp/cloud-provider-kind-image-${{ inputs.architecture }}.tar
         key: cloud-provider-kind
diff --git a/.github/actions/dependencies/setup-minikube/action.yml b/.github/actions/dependencies/setup-minikube/action.yml
@@ -24,7 +24,7 @@ runs:
   steps:
     - name: Cache registry Docker image
       id: cache-registry
-      uses: actions/cache@v5
+      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
       with:
         path: /tmp/registry-image.tar
         key: registry-image
diff --git a/.github/actions/utils/check-permissions/action.yml b/.github/actions/utils/check-permissions/action.yml
@@ -13,7 +13,7 @@ runs:
   using: composite
   steps:
     - name: Check repository permission / team membership
-      uses: actions/github-script@v9
+      uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
       env:
         TEAM: ${{ inputs.team }}
         MESSAGE: ${{ inputs.message }}
diff --git a/.github/actions/utils/determine-ref/action.yml b/.github/actions/utils/determine-ref/action.yml
@@ -14,7 +14,7 @@ runs:
   steps:
     - name: Determine ref and SHA
       id: determine
-      uses: actions/github-script@v9
+      uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
       with:
         script: |
           const {owner, repo} = context.repo;
diff --git a/.github/actions/utils/should-run/action.yml b/.github/actions/utils/should-run/action.yml
@@ -11,7 +11,7 @@ runs:
   steps:
     - name: Should Run
       id: should_run
-      uses: actions/github-script@v9
+      uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
       with:
         script: |
           const ev = context.eventName;
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,11 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    # Workflows are loaded automatically when / is specified in the directories list
+    directories:
+      - "/"
+      - "/.github/actions/build/*"
+      - "/.github/actions/dependencies/*"
+      - "/.github/actions/utils/*"
+    schedule:
+      interval: "weekly"
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,30 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+    - cron: '23 17 * * 3'
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
+        with:
+          languages: actions
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -16,7 +16,7 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
-      - uses: docker://rhysd/actionlint:1.7.10
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: docker://rhysd/actionlint@sha256:b1934ee5f1c509618f2508e6eb47ee0d3520686341fec936f3b79331f9315667 # v1.7.12
         with:
           args: -color
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -12,6 +12,9 @@ on:
         required: false
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   release:
     runs-on: ubuntu-latest
@@ -31,7 +34,7 @@ jobs:
           echo "major=${BASH_REMATCH[1]}" >> "$GITHUB_OUTPUT"
 
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           fetch-depth: 0
 
diff --git a/.github/workflows/reusable-test-integrations.yml b/.github/workflows/reusable-test-integrations.yml
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
diff --git a/.github/workflows/test-dependencies.yml b/.github/workflows/test-dependencies.yml
diff --git a/.github/workflows/test-utils.yml b/.github/workflows/test-utils.yml
diff --git a/README.md b/README.md
diff --git a/SECURITY.md b/SECURITY.md
