Setup scorecard workflow

Apply security best practices Signed-off-by: Matthieu MOREL <[email protected]>
vmware-tanzu · Aug 20, 2024 · 5a3bc58 · 5a3bc58
1 parent a6c5433
commit 5a3bc58
Show file tree

Hide file tree

Showing 22 changed files with 193 additions and 52 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -19,3 +19,30 @@ updates:
  ignore:
  - dependency-name: "*"
  update-types: ["version-update:semver-major", "version-update:semver-minor", "version-update:semver-patch"]
+
+ - package-ecosystem: docker
+ directory: /
+ schedule:
+ interval: "weekly"
+ labels:
+ - "Dependencies"
+ - "docker"
+ - "kind/changelog-not-required"
+
+ - package-ecosystem: docker
+ directory: /hack/build-image
+ schedule:
+ interval: "weekly"
+ labels:
+ - "Dependencies"
+ - "docker"
+ - "kind/changelog-not-required"
+
+ - package-ecosystem: docker
+ directory: /site
+ schedule:
+ interval: "weekly"
+ labels:
+ - "Dependencies"
+ - "docker"
+ - "kind/changelog-not-required"
diff --git a/.github/workflows/auto_assign_prs.yml b/.github/workflows/auto_assign_prs.yml
@@ -7,13 +7,19 @@ on:
  pull_request_target:
  types: [opened, reopened, ready_for_review]
 
+permissions:
+ contents: read
+
 jobs:
  # Automatically assigns reviewers and owner
  add-reviews:
+ permissions:
+ contents: read # for kentaro-m/auto-assign-action to fetch config file
+ pull-requests: write # for kentaro-m/auto-assign-action to assign PR reviewers
  runs-on: ubuntu-latest
  steps:
  - name: Set the author of a PR as the assignee
- uses: kentaro-m/[email protected]
+ uses: kentaro-m/auto-assign-action@f4648c0a9fdb753479e9e75fc251f507ce17bb7e # v2.0.0
  with:
  configuration-path: ".github/auto-assignees.yml"
  repo-token: "${{ secrets.GITHUB_TOKEN }}"
diff --git a/.github/workflows/auto_label_prs.yml b/.github/workflows/auto_label_prs.yml
@@ -8,12 +8,18 @@ on:
  pull_request_target:
  types: [opened, reopened, synchronize, ready_for_review]
 
+permissions:
+ contents: read
+
 jobs:
  # Automatically labels PRs based on file globs in the change.
  triage:
+ permissions:
+ contents: read # for actions/labeler to determine modified files
+ pull-requests: write # for actions/labeler to add labels to PRs
  runs-on: ubuntu-latest
  steps:
- - uses: actions/labeler@v5
+ - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
  with:
  repo-token: "${{ secrets.GITHUB_TOKEN }}"
  configuration-path: .github/labeler.yml
diff --git a/.github/workflows/auto_request_review.yml b/.github/workflows/auto_request_review.yml
@@ -11,7 +11,7 @@ jobs:
  runs-on: ubuntu-latest
  steps:
  - name: Request a PR review based on files types/paths, and/or groups the author belongs to
- uses: necojackarc/[email protected]
+ uses: necojackarc/auto-request-review@e89da1a8cd7c8c16d9de9c6e763290b6b0e3d424 # v0.13.0
  with:
  token: ${{ secrets.GITHUB_TOKEN }}
  config: .github/auto-assignees.yml
diff --git a/.github/workflows/crds-verify-kind.yaml b/.github/workflows/crds-verify-kind.yaml
@@ -6,21 +6,24 @@ on:
  - "site/**"
  - "design/**"
 
+permissions:
+ contents: read
+
 jobs:
  # Build the Velero CLI once for all Kubernetes versions, and cache it so the fan-out workers can get it.
  build-cli:
  runs-on: ubuntu-latest
  steps:
  - name: Check out the code
- uses: actions/checkout@v4
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
  - name: Set up Go
- uses: actions/setup-go@v5
+ uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
  with:
  go-version-file: 'go.mod'
  # Look for a CLI that's made for this PR
  - name: Fetch built CLI
  id: cache
- uses: actions/cache@v4
+ uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
  env:
  cache-name: cache-velero-cli
  with:
@@ -55,7 +58,7 @@ jobs:
  steps:
  - name: Fetch built CLI
  id: cache
- uses: actions/cache@v4
+ uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
  env:
  cache-name: cache-velero-cli
  with:
@@ -65,7 +68,7 @@ jobs:
  # This key controls the prefixes that we'll look at in the cache to restore from
  restore-keys: |
  velero-${{ github.event.pull_request.number }}-
- - uses: engineerd/[email protected]
+ - uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 # v0.5.0
  with:
  version: "v0.21.0"
  image: "kindest/node:v${{ matrix.k8s }}"

diff --git a/.github/workflows/e2e-test-kind.yaml b/.github/workflows/e2e-test-kind.yaml
@@ -6,28 +6,31 @@ on:
  paths-ignore:
  - "site/**"
  - "design/**"
+permissions:
+ contents: read
+
 jobs:
  # Build the Velero CLI and image once for all Kubernetes versions, and cache it so the fan-out workers can get it.
  build:
  runs-on: ubuntu-latest
  steps:
  - name: Check out the code
- uses: actions/checkout@v4
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
  - name: Set up Go
- uses: actions/setup-go@v5
+ uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
  with:
  go-version-file: 'go.mod'
  # Look for a CLI that's made for this PR
  - name: Fetch built CLI
  id: cli-cache
- uses: actions/cache@v4
+ uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
  with:
  path: ./_output/bin/linux/amd64/velero
  # The cache key a combination of the current PR number and the commit SHA
  key: velero-cli-${{ github.event.pull_request.number }}-${{ github.sha }}
  - name: Fetch built image
  id: image-cache
- uses: actions/cache@v4
+ uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
  with:
  path: ./velero.tar
  # The cache key a combination of the current PR number and the commit SHA
@@ -66,27 +69,27 @@ jobs:
  fail-fast: false
  steps:
  - name: Check out the code
- uses: actions/checkout@v4
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
  - name: Set up Go
- uses: actions/setup-go@v5
+ uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
  with:
  go-version-file: 'go.mod'
  - name: Install MinIO
  run:
  docker run -d --rm -p 9000:9000 -e "MINIO_ACCESS_KEY=minio" -e "MINIO_SECRET_KEY=minio123" -e "MINIO_DEFAULT_BUCKETS=bucket,additional-bucket" bitnami/minio:2021.6.17-debian-10-r7
- - uses: engineerd/[email protected]
+ - uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 # v0.5.0
  with:
  version: "v0.21.0"
  image: "kindest/node:v${{ matrix.k8s }}"
  - name: Fetch built CLI
  id: cli-cache
- uses: actions/cache@v4
+ uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
  with:
  path: ./_output/bin/linux/amd64/velero
  key: velero-cli-${{ github.event.pull_request.number }}-${{ github.sha }}
  - name: Fetch built Image
  id: image-cache
- uses: actions/cache@v4
+ uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
  with:
  path: ./velero.tar
  key: velero-image-${{ github.event.pull_request.number }}-${{ github.sha }}
@@ -121,7 +124,7 @@ jobs:
  timeout-minutes: 30
  - name: Upload debug bundle
  if: ${{ failure() }}
- uses: actions/upload-artifact@v4
+ uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
  with:
  name: DebugBundle
  path: /home/runner/work/velero/velero/test/e2e/debug-bundle*
diff --git a/.github/workflows/nightly-trivy-scan.yml b/.github/workflows/nightly-trivy-scan.yml
@@ -3,6 +3,9 @@ on:
  schedule:
  - cron: '0 2 * * *' # run at 2 AM UTC
 
+permissions:
+ contents: read
+
 jobs:
  nightly-scan:
  name: Trivy nightly scan
@@ -19,10 +22,10 @@ jobs:
 
  steps:
  - name: Checkout code
- uses: actions/checkout@v4
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
  - name: Run Trivy vulnerability scanner
- uses: aquasecurity/trivy-action@master
+ uses: aquasecurity/trivy-action@d9cd5b1c23aaf8cb31bb09141028215828364bbb # master
  with:
  image-ref: 'docker.io/velero/${{ matrix.images }}:${{ matrix.versions }}'
  severity: 'CRITICAL,HIGH,MEDIUM'
@@ -31,6 +34,6 @@ jobs:
  output: 'trivy-results.sarif'
 
  - name: Upload Trivy scan results to GitHub Security tab
- uses: github/codeql-action/upload-sarif@v3
+ uses: github/codeql-action/upload-sarif@883d8588e56d1753a8a58c1c86e88976f0c23449 # v3.26.3
  with:
  sarif_file: 'trivy-results.sarif'
diff --git a/.github/workflows/pr-changelog-check.yml b/.github/workflows/pr-changelog-check.yml
@@ -4,6 +4,9 @@ name: Pull Request Changelog Check
 on:
  pull_request:
  types: [opened, synchronize, reopened, labeled, unlabeled]
+permissions:
+ contents: read
+
 jobs:
 
  build:
@@ -12,7 +15,7 @@ jobs:
  steps:
 
  - name: Check out the code
- uses: actions/checkout@v4
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
  - name: Changelog check
  if: ${{ !(contains(github.event.pull_request.labels.*.name, 'kind/changelog-not-required') || contains(github.event.pull_request.labels.*.name, 'Design') || contains(github.event.pull_request.labels.*.name, 'Website') || contains(github.event.pull_request.labels.*.name, 'Documentation'))}}

diff --git a/.github/workflows/pr-ci-check.yml b/.github/workflows/pr-ci-check.yml
@@ -1,5 +1,8 @@
 name: Pull Request CI Check
 on: [pull_request]
+permissions:
+ contents: read
+
 jobs:
  build:
  name: Run CI
@@ -8,15 +11,15 @@ jobs:
  fail-fast: false
  steps:
  - name: Check out the code
- uses: actions/checkout@v4
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
  - name: Set up Go
- uses: actions/setup-go@v5
+ uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
  with:
  go-version-file: 'go.mod'
  - name: Make ci
  run: make ci
  - name: Upload test coverage
- uses: codecov/codecov-action@v4
+ uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0
  with:
  token: ${{ secrets.CODECOV_TOKEN }}
  files: coverage.out

diff --git a/.github/workflows/pr-codespell.yml b/.github/workflows/pr-codespell.yml
@@ -1,5 +1,8 @@
 name: Pull Request Codespell Check
 on: [pull_request]
+permissions:
+ contents: read
+
 jobs:
 
  codespell:
@@ -8,10 +11,10 @@ jobs:
  steps:
 
  - name: Check out the code
- uses: actions/checkout@v4
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
  - name: Codespell
- uses: codespell-project/actions-codespell@master
+ uses: codespell-project/actions-codespell@406322ec52dd7b488e48c1c4b82e2a8b3a1bf630 # master
  with:
  # ignore the config/.../crd.go file as it's generated binary data that is edited elswhere.
  skip: .git,*.png,*.jpg,*.woff,*.ttf,*.gif,*.ico,./config/crd/v1beta1/crds/crds.go,./config/crd/v1/crds/crds.go,./config/crd/v2alpha1/crds/crds.go,./go.sum,./LICENSE

diff --git a/.github/workflows/pr-containers.yml b/.github/workflows/pr-containers.yml
@@ -8,23 +8,26 @@ on:
  paths:
  - 'Dockerfile'
 
+permissions:
+ contents: read
+
 jobs:
  build:
  name: Build
  runs-on: ubuntu-latest
  steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
  name: Checkout
 
  - name: Set up QEMU
  id: qemu
- uses: docker/setup-qemu-action@v3
+ uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
  with:
  platforms: all
 
  - name: Set up Docker Buildx
  id: buildx
- uses: docker/setup-buildx-action@v3
+ uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
  with:
  version: latest
 

diff --git a/.github/workflows/pr-goreleaser.yml b/.github/workflows/pr-goreleaser.yml
@@ -14,7 +14,7 @@ jobs:
  name: Build
  runs-on: ubuntu-latest
  steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
  name: Checkout
 
  - name: Verify .goreleaser.yml and try a dryrun release.

diff --git a/.github/workflows/pr-linter-check.yml b/.github/workflows/pr-linter-check.yml
@@ -1,19 +1,25 @@
 name: Pull Request Linter Check
 on: [pull_request]
+permissions:
+ contents: read
+
 jobs:
 
  build:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ pull-requests: read # for golangci/golangci-lint-action to fetch pull requests
  name: Run Linter Check
  runs-on: ubuntu-latest
  steps:
  - name: Check out the code
- uses: actions/checkout@v4
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
  - name: Set up Go
- uses: actions/setup-go@v5
+ uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
  with:
  go-version-file: 'go.mod'
  - name: Linter check
- uses: golangci/golangci-lint-action@v6
+ uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0
  with:
  version: v1.57.2
  args: --verbose
diff --git a/.github/workflows/prow-action.yml b/.github/workflows/prow-action.yml
@@ -9,7 +9,7 @@ jobs:
  execute:
  runs-on: ubuntu-latest
  steps:
- - uses: jpmcb/[email protected]
+ - uses: jpmcb/prow-github-actions@f4d01dd4b13f289014c23fe5a19878a2479cb35b # v1.1.3
  with:
  # TODO: before allowing the /lgtm command, see if we can block merging if changelog labels are missing.
  prow-commands: |