github/intel-device-plugins-for-kubernetes
7
0
Fork 0
mirror of https://github.com/intel/intel-device-plugins-for-kubernetes.git synced 2025-06-03 03:59:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

workflow: pin actions with sha's

Browse Source 
And update sha's once a week.

Signed-off-by: Tuomas Katila <tuomas.katila@intel.com>
This commit is contained in:
Tuomas Katila 2024-05-28 11:31:12 +03:00
parent 11c9753aca
commit dfa91333a9
9 changed files with 46 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.github/dependabot.yml vendored
View File

@ -12,5 +12,6 @@ updates:
- package-ecosystem: "github-actions" - package-ecosystem: "github-actions"
directory: "/" directory: "/"
schedule: schedule:
# Check for updates to GitHub Actions every weekday # Check for updates to GitHub Actions every week on Sunday
interval: "daily" interval: "weekly"
day: "sunday"

4
.github/workflows/lib-build.yaml vendored
View File

@ -45,8 +45,8 @@ jobs:
- dlb-libdlb-demo - dlb-libdlb-demo
builder: [buildah, docker] builder: [buildah, docker]
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
- uses: actions/setup-go@v5 - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5
with: with:
go-version-file: go.mod go-version-file: go.mod
check-latest: true check-latest: true

9
.github/workflows/lib-codeql.yaml vendored
View File

@ -18,19 +18,18 @@ jobs:
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v4 uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5
- uses: actions/setup-go@v5
with: with:
go-version-file: go.mod go-version-file: go.mod
check-latest: true check-latest: true
- name: Initialize CodeQL - name: Initialize CodeQL
uses: github/codeql-action/init@v3 uses: github/codeql-action/init@71ace48453080e924b22589f0c397bedde464d78 # v3
with: with:
languages: 'go' languages: 'go'
- name: Perform CodeQL Analysis - name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3 uses: github/codeql-action/analyze@71ace48453080e924b22589f0c397bedde464d78 # v3
with: with:
category: "/language:go" category: "/language:go"

2
.github/workflows/lib-e2e.yaml vendored
View File

@ -67,7 +67,7 @@ jobs:
IMAGES: ${{ join(matrix.images, ' ') }} IMAGES: ${{ join(matrix.images, ' ') }}
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
with: with:
fetch-depth: 0 fetch-depth: 0
- name: Describe test environment - name: Describe test environment

8
.github/workflows/lib-publish.yaml vendored
View File

@ -42,8 +42,8 @@ jobs:
- crypto-perf - crypto-perf
- opae-nlb-demo - opae-nlb-demo
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
- uses: actions/setup-go@v5 - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5
with: with:
go-version-file: go.mod go-version-file: go.mod
check-latest: true check-latest: true
@ -54,7 +54,7 @@ jobs:
run: | run: |
REG=intel/ make ${IMAGE_NAME} BUILDER=docker REG=intel/ make ${IMAGE_NAME} BUILDER=docker
- name: Trivy scan for image - name: Trivy scan for image
uses: aquasecurity/trivy-action@master uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
with: with:
scan-type: image scan-type: image
image-ref: intel/${{ matrix.image }}:${{ inputs.image_tag }} image-ref: intel/${{ matrix.image }}:${{ inputs.image_tag }}
@ -64,7 +64,7 @@ jobs:
if: ${{ !contains(fromJson(env.no_base_check), matrix.image) }} if: ${{ !contains(fromJson(env.no_base_check), matrix.image) }}
run: IMG=intel/${{ matrix.image }}:${{ inputs.image_tag }} make test-image-base-layer BUILDER=docker run: IMG=intel/${{ matrix.image }}:${{ inputs.image_tag }} make test-image-base-layer BUILDER=docker
- name: Login - name: Login
uses: docker/login-action@v3 uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3
with: with:
username: ${{ secrets.DOCKERHUB_USER }} username: ${{ secrets.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_PASS }} password: ${{ secrets.DOCKERHUB_PASS }}

8
.github/workflows/lib-scorecard.yaml vendored
View File

@ -16,18 +16,16 @@ jobs:
id-token: write id-token: write
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
with: with:
persist-credentials: false persist-credentials: false
- name: "Analyze project" - name: "Analyze project"
uses: ossf/scorecard-action@v2.3.3 uses: ossf/scorecard-action@e4c423540e964e15ccadc56558705ba15136265c # v2.3.3
with: with:
results_file: results.sarif results_file: results.sarif
results_format: sarif results_format: sarif
publish_results: true publish_results: true
- name: "Upload results to security" - name: "Upload results to security"
uses: github/codeql-action/upload-sarif@v3 uses: github/codeql-action/upload-sarif@71ace48453080e924b22589f0c397bedde464d78 # v3
with: with:
sarif_file: results.sarif sarif_file: results.sarif

36
.github/workflows/lib-trivy.yaml vendored
View File

@ -30,10 +30,9 @@ jobs:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
- name: Run Trivy in config mode for deployments - name: Run Trivy in config mode for deployments
uses: aquasecurity/trivy-action@master uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
with: with:
scan-type: config scan-type: config
scan-ref: deployments/ scan-ref: deployments/
@ -49,10 +48,9 @@ jobs:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
- name: Run Trivy in config mode for dockerfiles - name: Run Trivy in config mode for dockerfiles
uses: aquasecurity/trivy-action@master uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
with: with:
scan-type: config scan-type: config
scan-ref: build/docker/ scan-ref: build/docker/
@ -64,10 +62,9 @@ jobs:
name: Scan licenses name: Scan licenses
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
- name: Run Trivy in fs mode - name: Run Trivy in fs mode
uses: aquasecurity/trivy-action@master uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
with: with:
scan-type: fs scan-type: fs
scan-ref: . scan-ref: .
@ -78,16 +75,14 @@ jobs:
trivy-scan-vulns: trivy-scan-vulns:
permissions: permissions:
security-events: write security-events: write
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
name: Scan vulnerabilities name: Scan vulnerabilities
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
- name: Run Trivy in fs mode - name: Run Trivy in fs mode
continue-on-error: true continue-on-error: true
uses: aquasecurity/trivy-action@master uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
with: with:
scan-type: fs scan-type: fs
scan-ref: . scan-ref: .
@ -95,19 +90,17 @@ jobs:
list-all-pkgs: true list-all-pkgs: true
format: json format: json
output: trivy-report.json output: trivy-report.json
- name: Show report in human-readable format - name: Show report in human-readable format
uses: aquasecurity/trivy-action@master uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
with: with:
scan-type: convert scan-type: convert
vuln-type: '' vuln-type: ''
severity: '' severity: ''
image-ref: trivy-report.json image-ref: trivy-report.json
format: table format: table
- name: Convert report to sarif - name: Convert report to sarif
if: ${{ inputs.upload-to-github-security-tab }} if: ${{ inputs.upload-to-github-security-tab }}
uses: aquasecurity/trivy-action@master uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
with: with:
scan-type: convert scan-type: convert
vuln-type: '' vuln-type: ''
@ -115,16 +108,14 @@ jobs:
image-ref: trivy-report.json image-ref: trivy-report.json
format: sarif format: sarif
output: trivy-report.sarif output: trivy-report.sarif
- name: Upload sarif report to GitHub Security tab - name: Upload sarif report to GitHub Security tab
if: ${{ inputs.upload-to-github-security-tab }} if: ${{ inputs.upload-to-github-security-tab }}
uses: github/codeql-action/upload-sarif@v3 uses: github/codeql-action/upload-sarif@71ace48453080e924b22589f0c397bedde464d78 # v3
with: with:
sarif_file: trivy-report.sarif sarif_file: trivy-report.sarif
- name: Convert report to csv - name: Convert report to csv
if: ${{ inputs.export-csv }} if: ${{ inputs.export-csv }}
uses: aquasecurity/trivy-action@master uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
with: with:
scan-type: convert scan-type: convert
vuln-type: '' vuln-type: ''
@ -133,10 +124,9 @@ jobs:
format: template format: template
template: "@.github/workflows/template/trivy-csv.tpl" template: "@.github/workflows/template/trivy-csv.tpl"
output: trivy-report.csv output: trivy-report.csv
- name: Upload CSV report as an artifact - name: Upload CSV report as an artifact
if: ${{ inputs.export-csv }} if: ${{ inputs.export-csv }}
uses: actions/upload-artifact@v4 uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4
with: with:
name: trivy-report name: trivy-report
path: trivy-report.csv path: trivy-report.csv

19
.github/workflows/lib-validate.yaml vendored
View File

@ -14,7 +14,7 @@ jobs:
run: | run: |
sudo apt-get update sudo apt-get update
sudo apt-get install -y python3-venv sudo apt-get install -y python3-venv
- uses: actions/checkout@v4 - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
with: with:
fetch-depth: 0 fetch-depth: 0
- name: Set up doc directory - name: Set up doc directory
@ -28,30 +28,28 @@ jobs:
rm -rf _work/venv rm -rf _work/venv
make vhtml make vhtml
mv _build/html/* $HOME/output/ mv _build/html/* $HOME/output/
golangci: golangci:
permissions: permissions:
pull-requests: read # for golangci/golangci-lint-action to fetch pull requests pull-requests: read # for golangci/golangci-lint-action to fetch pull requests
name: lint name: lint
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
- uses: actions/setup-go@v5 - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5
with: with:
go-version-file: go.mod go-version-file: go.mod
check-latest: true check-latest: true
- name: golangci-lint - name: golangci-lint
uses: golangci/golangci-lint-action@v6 uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6
with: with:
version: v1.57.2 version: v1.57.2
args: -v --timeout 5m args: -v --timeout 5m
build: build:
name: Build and check device plugins name: Build and check device plugins
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
- uses: actions/setup-go@v5 - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5
with: with:
go-version-file: go.mod go-version-file: go.mod
check-latest: true check-latest: true
@ -63,7 +61,6 @@ jobs:
- run: make check-github-actions - run: make check-github-actions
#- name: Codecov report #- name: Codecov report
# run: bash <(curl -s https://codecov.io/bash) # run: bash <(curl -s https://codecov.io/bash)
envtest: envtest:
name: Test APIs using envtest name: Test APIs using envtest
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
@ -74,8 +71,8 @@ jobs:
- 1.29.x - 1.29.x
- 1.30.x - 1.30.x
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
- uses: actions/setup-go@v5 - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5
with: with:
go-version-file: go.mod go-version-file: go.mod
check-latest: true check-latest: true

8
.github/workflows/publish.yml vendored
View File

@ -23,7 +23,7 @@ jobs:
run: | run: |
sudo apt-get update sudo apt-get update
sudo apt-get install -y python3-venv git sudo apt-get install -y python3-venv git
- uses: actions/checkout@v4 - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
with: with:
fetch-depth: 0 fetch-depth: 0
ref: main ref: main
@ -44,7 +44,7 @@ jobs:
rm -rf _work/venv rm -rf _work/venv
make vhtml make vhtml
mv _build/html/* $HOME/output/ mv _build/html/* $HOME/output/
- uses: actions/checkout@v4 - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
with: with:
fetch-depth: 0 fetch-depth: 0
ref: release-0.28 ref: release-0.28
@ -55,7 +55,7 @@ jobs:
rm -rf _work/venv rm -rf _work/venv
make vhtml make vhtml
mv _build/html $HOME/output/0.28 mv _build/html $HOME/output/0.28
- uses: actions/checkout@v4 - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
with: with:
fetch-depth: 0 fetch-depth: 0
ref: release-0.29 ref: release-0.29
@ -66,7 +66,7 @@ jobs:
rm -rf _work/venv rm -rf _work/venv
make vhtml make vhtml
mv _build/html $HOME/output/0.29 mv _build/html $HOME/output/0.29
- uses: actions/checkout@v4 - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
with: with:
fetch-depth: 0 fetch-depth: 0
ref: release-0.30 ref: release-0.30