diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 2aac5c94f1..574e8ec28d 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -14,7 +14,6 @@ defaults: permissions: contents: read - checks: write # Used to annotate code in the PR jobs: changes: @@ -31,10 +30,11 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: ${{ steps.base-depth.outputs.base-depth }} + persist-credentials: false - name: detect id: detect run: | - git fetch origin ${{ github.base_ref }} + git fetch origin ${GITHUB_BASE_REF} CHANGED_FILES=$(git diff --name-only ${{ github.event.pull_request.base.sha }}...${{ github.event.pull_request.head.sha }} | tr ' ' '\n') echo -e "Changed files:\n${CHANGED_FILES}" @@ -55,6 +55,8 @@ jobs: if: ${{ needs.changes.outputs.non-docs == 'true' }} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 with: go-version-file: "go.mod" @@ -64,11 +66,15 @@ jobs: linting: name: lint runs-on: ubuntu-latest + permissions: + contents: read + checks: write # Used by golangci-lint to annotate code in the PR needs: [changes] steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 with: go-version-file: "go.mod" @@ -102,6 +108,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 with: go-version-file: "go.mod" @@ -121,10 +129,10 @@ jobs: - name: Check CI results run: | results=( - "build=${{ needs.build.result }}" - "linting=${{ needs.linting.result }}" - "tests=${{ needs.tests.result }}" - "e2e-tests=${{ needs.e2e-tests.result }}" + "build=${NEEDS_BUILD_RESULT}" + "linting=${NEEDS_LINTING_RESULT}" + "tests=${NEEDS_TESTS_RESULT}" + "e2e-tests=${NEEDS_E2E_TESTS_RESULT}" ) failed=0 for r in "${results[@]}"; do @@ -142,3 +150,8 @@ jobs: fi echo "" echo "All CI checks passed" + env: + NEEDS_BUILD_RESULT: ${{ needs.build.result }} + NEEDS_LINTING_RESULT: ${{ needs.linting.result }} + NEEDS_TESTS_RESULT: ${{ needs.tests.result }} + NEEDS_E2E_TESTS_RESULT: ${{ needs.e2e-tests.result }} diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 1b9d0f80cf..8e5c68c7a5 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -41,6 +41,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/go-coverage.yml b/.github/workflows/go-coverage.yml index 339ac72288..0eaaf7a4d9 100644 --- a/.github/workflows/go-coverage.yml +++ b/.github/workflows/go-coverage.yml @@ -38,6 +38,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: path: ${{ github.workspace }}/src/github.com/tektoncd/chains + persist-credentials: false - name: Set up Go uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 diff --git a/.github/workflows/goclean.yml b/.github/workflows/goclean.yml index d0bdb0d46e..1e02bf28a7 100644 --- a/.github/workflows/goclean.yml +++ b/.github/workflows/goclean.yml @@ -1,5 +1,8 @@ name: goclean +permissions: + contents: read + on: push: paths: @@ -25,11 +28,14 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Go uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 with: go-version-file: "go.mod" + cache: false - name: go vet run: | diff --git a/.github/workflows/kind-e2e.yaml b/.github/workflows/kind-e2e.yaml index 96b3463cea..1197682032 100644 --- a/.github/workflows/kind-e2e.yaml +++ b/.github/workflows/kind-e2e.yaml @@ -16,6 +16,8 @@ defaults: jobs: k8s: + permissions: + contents: read concurrency: group: ${{ github.workflow }}-${{ matrix.k8s-version }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true @@ -33,6 +35,8 @@ jobs: k8s-version: ${{ matrix.k8s-version }} pipelines-release: v1.2.0 # Latest version pipelines-lts: + permissions: + contents: read concurrency: group: ${{ github.workflow }}-${{ matrix.pipelines-release }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true diff --git a/.github/workflows/reusable-e2e.yaml b/.github/workflows/reusable-e2e.yaml index be0b462a1e..cd99cc1f87 100644 --- a/.github/workflows/reusable-e2e.yaml +++ b/.github/workflows/reusable-e2e.yaml @@ -36,6 +36,8 @@ jobs: - name: Check out our repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Go uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 @@ -53,7 +55,7 @@ jobs: - name: Install Tekton pipelines run: | - while ! kubectl apply --filename ${{ env.TEKTON_PIPELINES_RELEASE }} + while ! kubectl apply --filename ${TEKTON_PIPELINES_RELEASE} do echo "waiting for tekton pipelines to get installed" sleep 2 diff --git a/.github/workflows/test-on-microshift.yaml b/.github/workflows/test-on-microshift.yaml index 3b521ea22e..54ecfe2c2b 100644 --- a/.github/workflows/test-on-microshift.yaml +++ b/.github/workflows/test-on-microshift.yaml @@ -30,6 +30,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: path: ${{ github.workspace }}/src/github.com/tektoncd/chains + persist-credentials: false - uses: imjasonh/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9 @@ -66,4 +67,4 @@ jobs: export KUBECONFIG=$HOME/.kube/config - source ${{ github.workspace }}/src/github.com/tektoncd/chains/test/microshift_test.sh \ No newline at end of file + source ${{ github.workspace }}/src/github.com/tektoncd/chains/test/microshift_test.sh diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml new file mode 100644 index 0000000000..88205a97e1 --- /dev/null +++ b/.github/workflows/zizmor.yaml @@ -0,0 +1,23 @@ +name: GitHub Actions Security Analysis with zizmor + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + +permissions: {} + +jobs: + zizmor: + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor + uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2