From 67d016365be07bd5547b77506f858ea5fff2555a Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Mon, 30 Mar 2026 15:21:05 +0200 Subject: [PATCH 1/2] ci: zizmor workflow Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> --- .github/workflows/zizmor.yml | 26 ++++++++++++++++++++++++++ .github/zizmor.yml | 3 +++ 2 files changed, 29 insertions(+) create mode 100644 .github/workflows/zizmor.yml create mode 100644 .github/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 00000000..289d2a3a --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,26 @@ +name: zizmor + +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +on: + workflow_dispatch: + push: + branches: + - 'main' + pull_request: + +jobs: + zizmor: + uses: crazy-max/.github/.github/workflows/zizmor.yml@bb328ea508cd6a89d0865555ddbeb148e5724aed # v1.3.0 + permissions: + contents: read + security-events: write + with: + min-severity: medium + min-confidence: medium + persona: pedantic diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 00000000..6415720a --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,3 @@ +rules: + secrets-outside-env: # FIXME: remove this rule when zizmor 1.24.0 is released, fixing the right persona attached to this rule: https://github.com/zizmorcore/zizmor/pull/1783 + disable: true From aad7ccb881e34319b832d0a5745fabb0836637a6 Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Mon, 30 Mar 2026 15:21:17 +0200 Subject: [PATCH 2/2] fix zizmor findings Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> --- .github/dependabot.yml | 6 ++ .github/workflows/.build.yml | 93 +++++++++++-------- .github/workflows/.pkgs.yml | 7 +- .github/workflows/build-buildx.yml | 4 +- .github/workflows/build-cagent.yml | 4 +- .github/workflows/build-compose.yml | 4 +- .github/workflows/build-containerd.yml | 4 +- .../workflows/build-credential-helpers.yml | 4 +- .github/workflows/build-docker-cli.yml | 4 +- .github/workflows/build-docker-engine.yml | 4 +- .github/workflows/build-model.yml | 4 +- .github/workflows/labeler.yml | 16 ++-- .github/workflows/nightly.yml | 9 +- .github/workflows/release-buildx.yml | 9 +- .github/workflows/release-cagent.yml | 9 +- .github/workflows/release-compose.yml | 9 +- .github/workflows/release-containerd.yml | 9 +- .../workflows/release-credential-helpers.yml | 9 +- .github/workflows/release-docker-cli.yml | 9 +- .github/workflows/release-docker-engine.yml | 9 +- .github/workflows/release-model.yml | 9 +- .github/workflows/update-go.yml | 9 +- .github/workflows/validate.yml | 7 +- 23 files changed, 181 insertions(+), 70 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index d942da5d..97166656 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -5,6 +5,12 @@ updates: directory: "/" schedule: interval: "daily" + cooldown: + default-days: 2 + groups: + crazy-max-dot-github: + patterns: + - "crazy-max/.github/*" labels: - "area/dependencies" - "bot" diff --git a/.github/workflows/.build.yml b/.github/workflows/.build.yml index ffd7cf78..a9d2b58c 100644 --- a/.github/workflows/.build.yml +++ b/.github/workflows/.build.yml @@ -1,6 +1,9 @@ # reusable workflow name: .build +permissions: + contents: read + on: workflow_call: inputs: @@ -16,6 +19,17 @@ on: distros: required: false type: string + secrets: + rh_user: + required: false + rh_pass: + required: false + dockerpublicbot_username: + required: false + dockerpublicbot_write_pat: + required: false + ghtoken: + required: false env: REPO_SLUG: dockereng/packaging @@ -30,11 +44,11 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Matrix id: matrix - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: INPUT_NAME: ${{ inputs.name }} INPUT_RELEASE: ${{ inputs.release }} @@ -109,6 +123,9 @@ jobs: timeout-minutes: 60 needs: - prepare + env: + INPUT_ENVS: ${{ inputs.envs }} + INPUT_NAME: ${{ inputs.name }} strategy: fail-fast: false matrix: @@ -116,46 +133,45 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Environment variables run: | - for l in "${{ inputs.envs }}"; do - echo "${l?}" >> $GITHUB_ENV - done + if [ -n "$INPUT_ENVS" ]; then + printf '%s\n' "$INPUT_ENVS" >> "$GITHUB_ENV" + fi - name: Prepare - # Set platform pair for artifact upload run: | platform=${{ matrix.platform }} echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV - name: Set up QEMU - uses: docker/setup-qemu-action@v4 + uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 with: version: latest - name: Build - uses: docker/bake-action@v7 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: source: . targets: pkg-${{ inputs.name }}-${{ matrix.distro }} set: | *.platform=${{ matrix.platform }} env: - RH_USER: ${{ secrets.RH_USER }} - RH_PASS: ${{ secrets.RH_PASS }} + RH_USER: ${{ secrets.rh_user }} + RH_PASS: ${{ secrets.rh_pass }} - name: List artifacts run: | - tree -nh ./bin/pkg/${{ inputs.name }} + tree -nh "./bin/pkg/${INPUT_NAME}" - name: Verify if: ${{ matrix.verify }} - uses: docker/bake-action@v7 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: source: . targets: verify-${{ inputs.name }}-${{ matrix.distro }} @@ -163,7 +179,7 @@ jobs: *.platform=${{ matrix.platform }} - name: Upload artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: build-pkg-${{ inputs.name }}-${{ matrix.distro }}-${{ env.PLATFORM_PAIR }} path: ./bin/pkg/${{ inputs.name }}/* @@ -175,24 +191,27 @@ jobs: timeout-minutes: 10 needs: - build + env: + INPUT_ENVS: ${{ inputs.envs }} + INPUT_NAME: ${{ inputs.name }} steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Environment variables run: | - for l in "${{ inputs.envs }}"; do - echo "${l?}" >> $GITHUB_ENV - done + if [ -n "$INPUT_ENVS" ]; then + printf '%s\n' "$INPUT_ENVS" >> "$GITHUB_ENV" + fi - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 with: version: latest - name: Download artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: path: ./bin/pkg/${{ inputs.name }} pattern: build-pkg-${{ inputs.name }}-* @@ -200,10 +219,10 @@ jobs: - name: List artifacts run: | - tree -nh ./bin/pkg/${{ inputs.name }} + tree -nh "./bin/pkg/${INPUT_NAME}" - name: Generate metadata - uses: docker/bake-action@v7 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: source: . targets: metadata-${{ inputs.name }} @@ -211,19 +230,19 @@ jobs: - name: Resolve metadata run: | - for l in $(cat ./bin/pkg/${{ inputs.name }}/metadata.env); do + while IFS= read -r l; do export "${l?}" - echo "${l?}" >> $GITHUB_ENV - done + printf '%s\n' "${l?}" >> "$GITHUB_ENV" + done < "./bin/pkg/${INPUT_NAME}/metadata.env" if [ "${{ github.event_name }}" = "schedule" ]; then - echo "GIT_TAG=nightly/${{ inputs.name }}/$VERSION" >> $GITHUB_ENV + echo "GIT_TAG=nightly/${INPUT_NAME}/$VERSION" >> "$GITHUB_ENV" else - echo "GIT_TAG=${{ inputs.name }}/$VERSION" >> $GITHUB_ENV + echo "GIT_TAG=${INPUT_NAME}/$VERSION" >> "$GITHUB_ENV" fi - name: Docker meta id: meta - uses: docker/metadata-action@v6 + uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 with: images: | ${{ env.REPO_SLUG }} @@ -238,15 +257,15 @@ jobs: bake-target: meta-helper - name: Login to Docker Hub - uses: docker/login-action@v4 + uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 if: ${{ inputs.release || github.event_name == 'schedule' }} with: - username: ${{ secrets.DOCKERPUBLICBOT_USERNAME }} - password: ${{ secrets.DOCKERPUBLICBOT_WRITE_PAT }} + username: ${{ secrets.dockerpublicbot_username }} + password: ${{ secrets.dockerpublicbot_write_pat }} - name: Build release id: build - uses: docker/bake-action@v7 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: source: . files: | @@ -262,7 +281,7 @@ jobs: name: List release artifacts run: | mkdir -p /tmp/release-squashed - cp ./bin/pkg/${{ inputs.name }}/metadata.env /tmp/release-squashed/ + cp "./bin/pkg/${INPUT_NAME}/metadata.env" /tmp/release-squashed/ find /tmp/release -mindepth 2 -maxdepth 2 ! -name metadata.env -exec cp -r -t /tmp/release-squashed {} + tree -nh /tmp/release-squashed | tee /tmp/packages.txt rm -rf /tmp/release-squashed @@ -284,7 +303,7 @@ jobs: * commit: [\`${COMMIT}\`](${REPO}/commit/${COMMIT}) EOF - if [ "${{ inputs.name }}" = "containerd" ]; then + if [ "$INPUT_NAME" = "containerd" ]; then cat >> "/tmp/summary.txt" <<-EOF * runc * repo: ${RUNC_REPO} @@ -315,7 +334,7 @@ jobs: EOF - name: Set outputs - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 id: release-metadata with: script: | @@ -351,4 +370,4 @@ jobs: $ undock --wrap --rm-dist --all ${{ env.REPO_SLUG }}:${{ steps.meta.outputs.version }} ./${{ inputs.name }}/${{ env.VERSION }} ``` env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.ghtoken || github.token }} diff --git a/.github/workflows/.pkgs.yml b/.github/workflows/.pkgs.yml index 63f9ca2f..691c859f 100644 --- a/.github/workflows/.pkgs.yml +++ b/.github/workflows/.pkgs.yml @@ -1,6 +1,9 @@ # reusable workflow name: .pkgs +permissions: + contents: read + on: workflow_call: outputs: @@ -16,11 +19,11 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set pkgs output id: set - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | const fs = require('fs'); diff --git a/.github/workflows/build-buildx.yml b/.github/workflows/build-buildx.yml index c3816d24..277ddf22 100644 --- a/.github/workflows/build-buildx.yml +++ b/.github/workflows/build-buildx.yml @@ -1,5 +1,8 @@ name: build-buildx +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -31,4 +34,3 @@ jobs: uses: ./.github/workflows/.build.yml with: name: buildx - secrets: inherit diff --git a/.github/workflows/build-cagent.yml b/.github/workflows/build-cagent.yml index f4a20e76..bc2dac41 100644 --- a/.github/workflows/build-cagent.yml +++ b/.github/workflows/build-cagent.yml @@ -1,5 +1,8 @@ name: build-cagent +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -31,4 +34,3 @@ jobs: uses: ./.github/workflows/.build.yml with: name: cagent - secrets: inherit diff --git a/.github/workflows/build-compose.yml b/.github/workflows/build-compose.yml index 5e3a2399..5f310487 100644 --- a/.github/workflows/build-compose.yml +++ b/.github/workflows/build-compose.yml @@ -1,5 +1,8 @@ name: build-compose +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -31,4 +34,3 @@ jobs: uses: ./.github/workflows/.build.yml with: name: compose - secrets: inherit diff --git a/.github/workflows/build-containerd.yml b/.github/workflows/build-containerd.yml index 6c867c62..1ca47f75 100644 --- a/.github/workflows/build-containerd.yml +++ b/.github/workflows/build-containerd.yml @@ -1,5 +1,8 @@ name: build-containerd +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -31,4 +34,3 @@ jobs: uses: ./.github/workflows/.build.yml with: name: containerd - secrets: inherit diff --git a/.github/workflows/build-credential-helpers.yml b/.github/workflows/build-credential-helpers.yml index bb4b4d86..a211d406 100644 --- a/.github/workflows/build-credential-helpers.yml +++ b/.github/workflows/build-credential-helpers.yml @@ -1,5 +1,8 @@ name: build-credential-helpers +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -31,4 +34,3 @@ jobs: uses: ./.github/workflows/.build.yml with: name: credential-helpers - secrets: inherit diff --git a/.github/workflows/build-docker-cli.yml b/.github/workflows/build-docker-cli.yml index 1aa0dd99..ab05e5b8 100644 --- a/.github/workflows/build-docker-cli.yml +++ b/.github/workflows/build-docker-cli.yml @@ -1,5 +1,8 @@ name: build-docker-cli +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -31,4 +34,3 @@ jobs: uses: ./.github/workflows/.build.yml with: name: docker-cli - secrets: inherit diff --git a/.github/workflows/build-docker-engine.yml b/.github/workflows/build-docker-engine.yml index 02de78c8..00a61474 100644 --- a/.github/workflows/build-docker-engine.yml +++ b/.github/workflows/build-docker-engine.yml @@ -1,5 +1,8 @@ name: build-docker-engine +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -31,4 +34,3 @@ jobs: uses: ./.github/workflows/.build.yml with: name: docker-engine - secrets: inherit diff --git a/.github/workflows/build-model.yml b/.github/workflows/build-model.yml index bc01c489..8a230d7d 100644 --- a/.github/workflows/build-model.yml +++ b/.github/workflows/build-model.yml @@ -1,5 +1,8 @@ name: build-model +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -31,4 +34,3 @@ jobs: uses: ./.github/workflows/.build.yml with: name: model - secrets: inherit diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 80ab1be0..4346c37b 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -1,26 +1,24 @@ name: labeler +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -permissions: - contents: read - on: - pull_request_target: + pull_request_target: # zizmor: ignore[dangerous-triggers] does not checkout, safe to use pull_request_target jobs: labeler: runs-on: ubuntu-latest permissions: - # same as global permission - contents: read - # required for writing labels - pull-requests: write + contents: read # same as global permission + pull-requests: write # required for writing labels steps: - name: Run - uses: actions/labeler@v6 + uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1 with: sync-labels: true diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 56f6a765..7c8f3fbf 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -1,6 +1,9 @@ # This workflow runs nighly builds for each package. name: nightly +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -27,4 +30,8 @@ jobs: release: pushonly envs: | NIGHTLY_BUILD=1 - secrets: inherit + secrets: + rh_user: ${{ secrets.RH_USER }} + rh_pass: ${{ secrets.RH_PASS }} + dockerpublicbot_username: ${{ secrets.DOCKERPUBLICBOT_USERNAME }} + dockerpublicbot_write_pat: ${{ secrets.DOCKERPUBLICBOT_WRITE_PAT }} diff --git a/.github/workflows/release-buildx.yml b/.github/workflows/release-buildx.yml index b0e46986..6be7ed48 100644 --- a/.github/workflows/release-buildx.yml +++ b/.github/workflows/release-buildx.yml @@ -1,5 +1,8 @@ name: release-buildx +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -50,4 +53,8 @@ jobs: PKG_REF=${{ inputs.ref }} PKG_DEB_REVISION=${{ inputs.revision }} PKG_RPM_RELEASE=${{ inputs.revision }} - secrets: inherit + secrets: + rh_user: ${{ secrets.RH_USER }} + rh_pass: ${{ secrets.RH_PASS }} + dockerpublicbot_username: ${{ secrets.DOCKERPUBLICBOT_USERNAME }} + dockerpublicbot_write_pat: ${{ secrets.DOCKERPUBLICBOT_WRITE_PAT }} diff --git a/.github/workflows/release-cagent.yml b/.github/workflows/release-cagent.yml index 51540f9a..248b84a9 100644 --- a/.github/workflows/release-cagent.yml +++ b/.github/workflows/release-cagent.yml @@ -1,5 +1,8 @@ name: release-cagent +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -50,4 +53,8 @@ jobs: PKG_REF=${{ inputs.ref }} PKG_DEB_REVISION=${{ inputs.revision }} PKG_RPM_RELEASE=${{ inputs.revision }} - secrets: inherit + secrets: + rh_user: ${{ secrets.RH_USER }} + rh_pass: ${{ secrets.RH_PASS }} + dockerpublicbot_username: ${{ secrets.DOCKERPUBLICBOT_USERNAME }} + dockerpublicbot_write_pat: ${{ secrets.DOCKERPUBLICBOT_WRITE_PAT }} diff --git a/.github/workflows/release-compose.yml b/.github/workflows/release-compose.yml index f9a18078..88a02de1 100644 --- a/.github/workflows/release-compose.yml +++ b/.github/workflows/release-compose.yml @@ -1,5 +1,8 @@ name: release-compose +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -50,4 +53,8 @@ jobs: PKG_REF=${{ inputs.ref }} PKG_DEB_REVISION=${{ inputs.revision }} PKG_RPM_RELEASE=${{ inputs.revision }} - secrets: inherit + secrets: + rh_user: ${{ secrets.RH_USER }} + rh_pass: ${{ secrets.RH_PASS }} + dockerpublicbot_username: ${{ secrets.DOCKERPUBLICBOT_USERNAME }} + dockerpublicbot_write_pat: ${{ secrets.DOCKERPUBLICBOT_WRITE_PAT }} diff --git a/.github/workflows/release-containerd.yml b/.github/workflows/release-containerd.yml index d9e1355e..77208444 100644 --- a/.github/workflows/release-containerd.yml +++ b/.github/workflows/release-containerd.yml @@ -1,5 +1,8 @@ name: release-containerd +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -56,4 +59,8 @@ jobs: PKG_DEB_REVISION=${{ inputs.revision }} PKG_RPM_RELEASE=${{ inputs.revision }} RUNC_REF=${{ inputs.runc_ref }} - secrets: inherit + secrets: + rh_user: ${{ secrets.RH_USER }} + rh_pass: ${{ secrets.RH_PASS }} + dockerpublicbot_username: ${{ secrets.DOCKERPUBLICBOT_USERNAME }} + dockerpublicbot_write_pat: ${{ secrets.DOCKERPUBLICBOT_WRITE_PAT }} diff --git a/.github/workflows/release-credential-helpers.yml b/.github/workflows/release-credential-helpers.yml index 55e717e8..164ff488 100644 --- a/.github/workflows/release-credential-helpers.yml +++ b/.github/workflows/release-credential-helpers.yml @@ -1,5 +1,8 @@ name: release-credential-helpers +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -50,4 +53,8 @@ jobs: PKG_REF=${{ inputs.ref }} PKG_DEB_REVISION=${{ inputs.revision }} PKG_RPM_RELEASE=${{ inputs.revision }} - secrets: inherit + secrets: + rh_user: ${{ secrets.RH_USER }} + rh_pass: ${{ secrets.RH_PASS }} + dockerpublicbot_username: ${{ secrets.DOCKERPUBLICBOT_USERNAME }} + dockerpublicbot_write_pat: ${{ secrets.DOCKERPUBLICBOT_WRITE_PAT }} diff --git a/.github/workflows/release-docker-cli.yml b/.github/workflows/release-docker-cli.yml index 2e79da6a..09c2b2d4 100644 --- a/.github/workflows/release-docker-cli.yml +++ b/.github/workflows/release-docker-cli.yml @@ -1,5 +1,8 @@ name: release-docker-cli +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -50,4 +53,8 @@ jobs: PKG_REF=${{ inputs.ref }} PKG_DEB_REVISION=${{ inputs.revision }} PKG_RPM_RELEASE=${{ inputs.revision }} - secrets: inherit + secrets: + rh_user: ${{ secrets.RH_USER }} + rh_pass: ${{ secrets.RH_PASS }} + dockerpublicbot_username: ${{ secrets.DOCKERPUBLICBOT_USERNAME }} + dockerpublicbot_write_pat: ${{ secrets.DOCKERPUBLICBOT_WRITE_PAT }} diff --git a/.github/workflows/release-docker-engine.yml b/.github/workflows/release-docker-engine.yml index 1eb8b6d2..86302e23 100644 --- a/.github/workflows/release-docker-engine.yml +++ b/.github/workflows/release-docker-engine.yml @@ -1,5 +1,8 @@ name: release-docker-engine +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -50,4 +53,8 @@ jobs: PKG_REF=${{ inputs.ref }} PKG_DEB_REVISION=${{ inputs.revision }} PKG_RPM_RELEASE=${{ inputs.revision }} - secrets: inherit + secrets: + rh_user: ${{ secrets.RH_USER }} + rh_pass: ${{ secrets.RH_PASS }} + dockerpublicbot_username: ${{ secrets.DOCKERPUBLICBOT_USERNAME }} + dockerpublicbot_write_pat: ${{ secrets.DOCKERPUBLICBOT_WRITE_PAT }} diff --git a/.github/workflows/release-model.yml b/.github/workflows/release-model.yml index c91a386e..e5b7a537 100644 --- a/.github/workflows/release-model.yml +++ b/.github/workflows/release-model.yml @@ -1,5 +1,8 @@ name: release-model +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -50,4 +53,8 @@ jobs: PKG_REF=${{ inputs.ref }} PKG_DEB_REVISION=${{ inputs.revision }} PKG_RPM_RELEASE=${{ inputs.revision }} - secrets: inherit + secrets: + rh_user: ${{ secrets.RH_USER }} + rh_pass: ${{ secrets.RH_PASS }} + dockerpublicbot_username: ${{ secrets.DOCKERPUBLICBOT_USERNAME }} + dockerpublicbot_write_pat: ${{ secrets.DOCKERPUBLICBOT_WRITE_PAT }} diff --git a/.github/workflows/update-go.yml b/.github/workflows/update-go.yml index e5e1bf37..e68af7f5 100644 --- a/.github/workflows/update-go.yml +++ b/.github/workflows/update-go.yml @@ -1,5 +1,8 @@ name: update-go +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -20,11 +23,11 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Get GO_VERSION from upstream repositories id: get-go-versions - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: INPUT_PKGS: ${{ needs.pkgs.outputs.list }} with: @@ -74,7 +77,7 @@ jobs: core.setOutput('list', JSON.stringify(goVersions)); - name: Set GO_VERSION in docker-bake.hcl and Dockerfiles - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: INPUT_GO_VERSIONS: ${{ steps.get-go-versions.outputs.list }} with: diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 175b187d..3ca03eaf 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -1,5 +1,8 @@ name: validate +permissions: + contents: read + on: push: branches: @@ -12,10 +15,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Run - uses: docker/bake-action@v7 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: source: . targets: validate