From cf822d2d8e2559fa316f7f9d1499575df8aa26dd Mon Sep 17 00:00:00 2001 From: Alessandro Affinito Date: Tue, 3 Feb 2026 16:17:58 +0100 Subject: [PATCH 1/2] Pin GitHub Actions to SHA and add enforcement Pin all GitHub Actions to their full commit SHA for improved security, following supply chain security best practices. This prevents unexpected changes from compromised or modified action tags. Changes: - Pin all actions across 10 workflow files to specific commit SHAs - Update all actions to their latest patch versions for consistency - Add new workflow (ensure-sha-pinned-actions.yml) that fails CI if unpinned actions are introduced - Add Makefile target (validate-gh-actions) for local validation - Integrate validation into validate-go-action CI target Action versions updated: - actions/checkout: v6.0.2 - actions/setup-go: v6.2.0 - actions/setup-node: v6.2.0 - step-security/harden-runner: v2.14.1 - coverallsapp/github-action: v2.3.6 - golangci/golangci-lint-action: v9.2.0 - softprops/action-gh-release: v2.5.0 - oxsecurity/megalinter: v9.3.0 - github/codeql-action: v4 (latest) Dependabot is already configured to keep pinned actions updated weekly. --- .github/workflows/check-coverage.yml | 8 ++--- .github/workflows/ci-go.yml | 26 ++++++++-------- .github/workflows/ci-guardrailpolicies.yml | 2 +- .github/workflows/ci-python.yml | 2 +- .github/workflows/codeql-analysis.yml | 10 +++---- .../workflows/ensure-sha-pinned-actions.yml | 30 +++++++++++++++++++ .github/workflows/maintenance.yml | 4 +-- .github/workflows/npm-audit.yml | 8 ++--- .github/workflows/prune-tags.yml | 2 +- .github/workflows/release-note.yml | 4 +-- .github/workflows/yamllint.yml | 4 +-- Makefile | 12 +++++++- 12 files changed, 76 insertions(+), 36 deletions(-) create mode 100644 .github/workflows/ensure-sha-pinned-actions.yml diff --git a/.github/workflows/check-coverage.yml b/.github/workflows/check-coverage.yml index 9efa70e156f..8ffeac3fc88 100644 --- a/.github/workflows/check-coverage.yml +++ b/.github/workflows/check-coverage.yml @@ -37,10 +37,10 @@ jobs: workdir: . steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 with: go-version-file: go.mod @@ -64,7 +64,7 @@ jobs: -- -coverprofile="$GITHUB_WORKSPACE/cover-${{ matrix.name }}.out" $PATTERN - name: Coveralls - uses: coverallsapp/github-action@v2 + uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # v2.3.6 with: parallel: true flag-name: ${{ matrix.name }} @@ -77,7 +77,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Coveralls Finished - uses: coverallsapp/github-action@v2 + uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # v2.3.6 with: parallel-finished: true carryforward: "cmd,pkg-api,pkg-frontend,pkg-operator,pkg-util,pkg-other" diff --git a/.github/workflows/ci-go.yml b/.github/workflows/ci-go.yml index 007b2ec8889..1ec2b04a053 100644 --- a/.github/workflows/ci-go.yml +++ b/.github/workflows/ci-go.yml @@ -16,15 +16,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 with: egress-policy: audit - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Set up Golang - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 + uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 with: go-version-file: go.mod - run: | @@ -39,15 +39,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 with: egress-policy: audit - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Set up Golang - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 + uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 with: go-version-file: go.mod - name: Run make generate @@ -64,19 +64,19 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 with: egress-policy: audit - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Set up Golang - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 + uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 with: go-version-file: go.mod - name: Run golangci-lint - uses: golangci/golangci-lint-action@v9 + uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0 with: version: v2.8.0 args: -v --timeout 15m @@ -89,15 +89,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 with: egress-policy: audit - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Set up Golang - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 + uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 with: go-version-file: go.mod - run: make validate-go-action diff --git a/.github/workflows/ci-guardrailpolicies.yml b/.github/workflows/ci-guardrailpolicies.yml index 0403026a4a6..7a6ac917ab6 100644 --- a/.github/workflows/ci-guardrailpolicies.yml +++ b/.github/workflows/ci-guardrailpolicies.yml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install opa binary run: | diff --git a/.github/workflows/ci-python.yml b/.github/workflows/ci-python.yml index 316059fd431..267871122b9 100644 --- a/.github/workflows/ci-python.yml +++ b/.github/workflows/ci-python.yml @@ -19,7 +19,7 @@ jobs: image: registry.access.redhat.com/ubi9/python-311:latest steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: validate run: | make test-python diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index b125fcf77a0..f7d158c92eb 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -36,11 +36,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Go if: matrix.language == 'go' - uses: actions/setup-go@v6 + uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 with: go-version-file: go.mod @@ -49,15 +49,15 @@ jobs: go mod download - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@5049b573e2cbf31c2dbde702a60c24fe476f0766 # v4 with: languages: ${{ matrix.language }} config-file: ./.github/codeql/codeql-config-${{matrix.language}}.yml - name: Autobuild - uses: github/codeql-action/autobuild@v4 + uses: github/codeql-action/autobuild@5049b573e2cbf31c2dbde702a60c24fe476f0766 # v4 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@5049b573e2cbf31c2dbde702a60c24fe476f0766 # v4 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/ensure-sha-pinned-actions.yml b/.github/workflows/ensure-sha-pinned-actions.yml new file mode 100644 index 00000000000..4a41f416edc --- /dev/null +++ b/.github/workflows/ensure-sha-pinned-actions.yml @@ -0,0 +1,30 @@ +name: Ensure SHA Pinned Actions + +on: + push: + branches: + - master + paths: + - '.github/workflows/**' + pull_request: + paths: + - '.github/workflows/**' + +permissions: + contents: read + +jobs: + ensure-sha-pinned-actions: + name: Ensure SHA Pinned Actions + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + - name: Ensure SHA pinned actions + uses: zgosalvez/github-actions-ensure-sha-pinned-actions@6124774845927d14c601359ab8138699fa5b70c3 # v4.0.1 diff --git a/.github/workflows/maintenance.yml b/.github/workflows/maintenance.yml index e8b3501379a..309779b6918 100644 --- a/.github/workflows/maintenance.yml +++ b/.github/workflows/maintenance.yml @@ -4,7 +4,7 @@ on: push: pull_request_target: types: - - synchronize + - synchronize permissions: contents: read @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - name: check if prs are dirty - uses: eps1lon/actions-label-merge-conflict@releases/2.x + uses: eps1lon/actions-label-merge-conflict@fd1f295ee7443d13745804bc49fe158e240f6c6e # releases/2.1.0 with: dirtyLabel: needs-rebase removeOnDirtyLabel: ready-for-review diff --git a/.github/workflows/npm-audit.yml b/.github/workflows/npm-audit.yml index fa272578f9a..465acad58ea 100644 --- a/.github/workflows/npm-audit.yml +++ b/.github/workflows/npm-audit.yml @@ -17,10 +17,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: setup Node.JS - uses: actions/setup-node@v6 + uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0 with: node-version: 16.16.0 @@ -33,10 +33,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: setup Node.JS - uses: actions/setup-node@v6 + uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0 with: node-version: 16.16.0 diff --git a/.github/workflows/prune-tags.yml b/.github/workflows/prune-tags.yml index 02b274e7a1a..c926d4184ab 100644 --- a/.github/workflows/prune-tags.yml +++ b/.github/workflows/prune-tags.yml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 diff --git a/.github/workflows/release-note.yml b/.github/workflows/release-note.yml index 5d398d8906f..82299c304e1 100644 --- a/.github/workflows/release-note.yml +++ b/.github/workflows/release-note.yml @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ github.ref }} fetch-depth: 0 @@ -25,7 +25,7 @@ jobs: run: ./.github/generate_release_note.sh ${{ github.workspace }}/CHANGELOG.txt - name: Release - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0 with: body_path: ${{ github.workspace }}/CHANGELOG.txt name: Release ${{ github.ref_name }} diff --git a/.github/workflows/yamllint.yml b/.github/workflows/yamllint.yml index b5882801be6..176d30d17b2 100644 --- a/.github/workflows/yamllint.yml +++ b/.github/workflows/yamllint.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: yamllint - uses: oxsecurity/megalinter/flavors/ci_light@v9 + uses: oxsecurity/megalinter/flavors/ci_light@42bb470545e359597e7f12156947c436e4e3fb9a # v9.3.0 diff --git a/Makefile b/Makefile index b5cd83378fb..5fd05f7a7da 100644 --- a/Makefile +++ b/Makefile @@ -305,7 +305,7 @@ validate-go: validate-imports go test -tags e2e -run ^$$ ./test/e2e/... .PHONY: validate-go-action -validate-go-action: validate-imports validate-lint-go-fix +validate-go-action: validate-imports validate-lint-go-fix validate-gh-actions go run ./hack/licenses -validate -ignored-go vendor,pkg/client,.git -ignored-python python/client,python/az/aro/azext_aro/aaz,vendor,.git @[ -z "$$(ls pkg/util/*.go 2>/dev/null)" ] || (echo error: go files are not allowed in pkg/util, use a subpackage; exit 1) @[ -z "$$(find -name "*:*")" ] || (echo error: filenames with colons are not allowed on Windows, please rename; exit 1) @@ -342,6 +342,16 @@ validate-lint-go-fix: lint-go-fix exit 1; \ fi +.PHONY: validate-gh-actions +validate-gh-actions: ## Validate GitHub Actions are pinned to SHA + @echo "Checking that all GitHub Actions are pinned to SHA..." + @if grep -rE 'uses:\s+[^@]+@(v[0-9]|master|main|releases/)' .github/workflows/*.yml 2>/dev/null | grep -v '#'; then \ + echo "Error: Found unpinned GitHub Actions (must use SHA with version comment)"; \ + echo "Run 'npx pin-github-action .github/workflows/' to fix"; \ + exit 1; \ + fi + @echo "All GitHub Actions are properly pinned to SHA" + .PHONY: lint-admin-portal lint-admin-portal: docker build --platform=linux/amd64 --build-arg REGISTRY=$(REGISTRY) --build-arg BUILDER_REGISTRY=$(BUILDER_REGISTRY) -f Dockerfile.portal_lint . -t linter:latest --no-cache From 86d76d0dc8389db9333a1649a8428f36df2b0da2 Mon Sep 17 00:00:00 2001 From: Alessandro Affinito Date: Thu, 5 Feb 2026 11:19:07 +0100 Subject: [PATCH 2/2] Replace npm pin-github-action with Go-based pinact - Add pinact v1.6.0 to bingo dependencies for reproducible builds - Update validate-gh-actions to use pinact with --check and --verify flags - Add fix-gh-actions target for automatic SHA pinning - Integrate validate-gh-actions into validate-go target to ensure it runs as part of the standard validation workflow Using pinact eliminates the Node.js dependency and provides better validation by verifying SHA/version comment pairs are correct. --- .bingo/Variables.mk | 6 ++++++ .bingo/pinact.mod | 5 +++++ .bingo/pinact.sum | 47 ++++++++++++++++++++++++++++++++++++++++++++ .bingo/variables.env | 2 ++ Makefile | 16 ++++++++------- 5 files changed, 69 insertions(+), 7 deletions(-) create mode 100644 .bingo/pinact.mod create mode 100644 .bingo/pinact.sum diff --git a/.bingo/Variables.mk b/.bingo/Variables.mk index 7ac3f3c08e5..562c6697bb7 100644 --- a/.bingo/Variables.mk +++ b/.bingo/Variables.mk @@ -101,3 +101,9 @@ $(MOCKGEN): $(BINGO_DIR)/mockgen.mod @echo "(re)installing $(GOBIN)/mockgen-v0.6.0" @cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=mockgen.mod -o=$(GOBIN)/mockgen-v0.6.0 "go.uber.org/mock/mockgen" +PINACT := $(GOBIN)/pinact-v1.6.0 +$(PINACT): $(BINGO_DIR)/pinact.mod + @# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies. + @echo "(re)installing $(GOBIN)/pinact-v1.6.0" + @cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=pinact.mod -o=$(GOBIN)/pinact-v1.6.0 "github.com/suzuki-shunsuke/pinact/cmd/pinact" + diff --git a/.bingo/pinact.mod b/.bingo/pinact.mod new file mode 100644 index 00000000000..868f43a010f --- /dev/null +++ b/.bingo/pinact.mod @@ -0,0 +1,5 @@ +module _ // Auto generated by https://github.com/bwplotka/bingo. DO NOT EDIT + +go 1.25.3 + +require github.com/suzuki-shunsuke/pinact v1.6.0 // cmd/pinact diff --git a/.bingo/pinact.sum b/.bingo/pinact.sum new file mode 100644 index 00000000000..e79ab799a0c --- /dev/null +++ b/.bingo/pinact.sum @@ -0,0 +1,47 @@ +github.com/cpuguy83/go-md2man/v2 v2.0.5 h1:ZtcqGrnekaHpVLArFSe4HK5DoKx1T0rq2DwVB0alcyc= +github.com/cpuguy83/go-md2man/v2 v2.0.5/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-github/v70 v70.0.0 h1:/tqCp5KPrcvqCc7vIvYyFYTiCGrYvaWoYMGHSQbo55o= +github.com/google/go-github/v70 v70.0.0/go.mod h1:xBUZgo8MI3lUL/hwxl3hlceJW1U8MVnXP3zUyI+rhQY= +github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8= +github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU= +github.com/hashicorp/go-version v1.7.0 h1:5tqGy27NaOTB8yJKUZELlFAS/LTKJkrmONwQKeRZfjY= +github.com/hashicorp/go-version v1.7.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= +github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE= +github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8= +github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= +github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= +github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= +github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= +github.com/spf13/afero v1.14.0 h1:9tH6MapGnn/j0eb0yIXiLjERO8RB6xIVZRDCX7PtqWA= +github.com/spf13/afero v1.14.0/go.mod h1:acJQ8t0ohCGuMN3O+Pv0V0hgMxNYDlvdk+VTfyZmbYo= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/suzuki-shunsuke/logrus-error v0.1.4 h1:nWo98uba1fANHdZ9Y5pJ2RKs/PpVjrLzRp5m+mRb9KE= +github.com/suzuki-shunsuke/logrus-error v0.1.4/go.mod h1:WsVvvw6SKSt08/fB2qbnsKIMJA4K1MYCUprqsBJbMiM= +github.com/suzuki-shunsuke/pinact v1.6.0 h1:2QvSzREOquwLwKXhF9Hj0AInE/Rl63SZz9dKkHFC6so= +github.com/suzuki-shunsuke/pinact v1.6.0/go.mod h1:FDUMck0mmL0mcnNZ23Vjh/aOR5cIdZhF1IIpGksT4dQ= +github.com/suzuki-shunsuke/urfave-cli-help-all v0.0.4 h1:YGHgrVjGTYHY98II6zijXUHP+OyvrzSCvd8m9iUcaK8= +github.com/suzuki-shunsuke/urfave-cli-help-all v0.0.4/go.mod h1:sSi6xaUaHfaqu32ECLeyE7NTMv+ZM5dW0JikhllaalY= +github.com/urfave/cli/v2 v2.27.6 h1:VdRdS98FNhKZ8/Az8B7MTyGQmpIr36O1EHybx/LaZ4g= +github.com/urfave/cli/v2 v2.27.6/go.mod h1:3Sevf16NykTbInEnD0yKkjDAeZDS0A6bzhBH5hrMvTQ= +github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 h1:gEOO8jv9F4OT7lGCjxCBTO/36wtF6j2nSip77qHd4x4= +github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1/go.mod h1:Ohn+xnUBiLI6FVj/9LpzZWtj1/D6lUovWYBkxHVV3aM= +golang.org/x/oauth2 v0.28.0 h1:CrgCKl8PPAVtLnU3c+EDw6x11699EWlsDeWNWKdIOkc= +golang.org/x/oauth2 v0.28.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8= +golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU= +golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY= +golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/.bingo/variables.env b/.bingo/variables.env index 5b64ba0140c..2f181065bda 100644 --- a/.bingo/variables.env +++ b/.bingo/variables.env @@ -36,3 +36,5 @@ GOVULNCHECK="${GOBIN}/govulncheck-v1.1.4" MOCKGEN="${GOBIN}/mockgen-v0.6.0" +PINACT="${GOBIN}/pinact-v1.6.0" + diff --git a/Makefile b/Makefile index 5fd05f7a7da..8100682ad12 100644 --- a/Makefile +++ b/Makefile @@ -296,7 +296,7 @@ test-e2e: e2e.test test-go: generate build-all validate-go lint-go unit-test-go .PHONY: validate-go -validate-go: validate-imports +validate-go: validate-go-action gofmt -s -w cmd hack pkg test go run ./hack/licenses @[ -z "$$(ls pkg/util/*.go 2>/dev/null)" ] || (echo error: go files are not allowed in pkg/util, use a subpackage; exit 1) @@ -343,15 +343,17 @@ validate-lint-go-fix: lint-go-fix fi .PHONY: validate-gh-actions -validate-gh-actions: ## Validate GitHub Actions are pinned to SHA +validate-gh-actions: $(PINACT) ## Validate GitHub Actions are pinned to SHA @echo "Checking that all GitHub Actions are pinned to SHA..." - @if grep -rE 'uses:\s+[^@]+@(v[0-9]|master|main|releases/)' .github/workflows/*.yml 2>/dev/null | grep -v '#'; then \ - echo "Error: Found unpinned GitHub Actions (must use SHA with version comment)"; \ - echo "Run 'npx pin-github-action .github/workflows/' to fix"; \ - exit 1; \ - fi + @$(PINACT) run --check --verify @echo "All GitHub Actions are properly pinned to SHA" +.PHONY: fix-gh-actions +fix-gh-actions: $(PINACT) ## Pin unpinned GitHub Actions to SHA + @echo "Pinning GitHub Actions to SHA..." + @$(PINACT) run + @echo "Done. Please review the changes." + .PHONY: lint-admin-portal lint-admin-portal: docker build --platform=linux/amd64 --build-arg REGISTRY=$(REGISTRY) --build-arg BUILDER_REGISTRY=$(BUILDER_REGISTRY) -f Dockerfile.portal_lint . -t linter:latest --no-cache