From 15cde971175291712e97af38b19125f3965627c9 Mon Sep 17 00:00:00 2001 From: Joel Takvorian Date: Fri, 26 Jun 2026 09:56:41 +0200 Subject: [PATCH] Minor security hardening - sha pinning of the remaining github-owned actions - dependabot setting for docker & actions - force tls client minversion --- .github/dependabot.yml | 9 +++++++++ .github/workflows/build_image_pr.yml | 6 +++--- .github/workflows/on-release.yml | 2 +- .github/workflows/pull_request.yml | 4 ++-- .github/workflows/pull_request_e2e.yml | 6 +++--- .github/workflows/push_image.yml | 7 ++++--- .github/workflows/push_image_pr.yml | 4 ++-- .github/workflows/release.yml | 23 ++++++----------------- cmd/prom.go | 2 +- 9 files changed, 31 insertions(+), 32 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index ac02b85a1..26ffd399b 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -15,3 +15,12 @@ updates: applies-to: version-updates patterns: - "k8s.io/*" + + - package-ecosystem: "github-actions" + directory: "/.github" + schedule: + interval: "monthly" + - package-ecosystem: "docker" + directory: "/" + schedule: + interval: "weekly" diff --git a/.github/workflows/build_image_pr.yml b/.github/workflows/build_image_pr.yml index aa59183ba..d8a9651fa 100644 --- a/.github/workflows/build_image_pr.yml +++ b/.github/workflows/build_image_pr.yml @@ -16,7 +16,7 @@ jobs: name: Build PR image and upload artifact runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: persist-credentials: false - name: Install make @@ -29,7 +29,7 @@ jobs: USER=netobserv VERSION=${head_sha::8} make commands - name: upload commands id: artifact-upload-step - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: commands path: build/ @@ -37,7 +37,7 @@ jobs: run: | echo ${{ steps.artifact-upload-step.outputs.artifact-url }} > ./out/commands-url - name: upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: pr path: out/ diff --git a/.github/workflows/on-release.yml b/.github/workflows/on-release.yml index 638e44007..a89002723 100644 --- a/.github/workflows/on-release.yml +++ b/.github/workflows/on-release.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - name: checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: persist-credentials: false - name: Call krew-release-bot diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index bd94d81ba..9ae7cbefe 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -13,11 +13,11 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: persist-credentials: false - name: Set up Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version: '1.26' - name: Install make diff --git a/.github/workflows/pull_request_e2e.yml b/.github/workflows/pull_request_e2e.yml index fc3b60130..e02699b83 100644 --- a/.github/workflows/pull_request_e2e.yml +++ b/.github/workflows/pull_request_e2e.yml @@ -22,11 +22,11 @@ jobs: sudo cp oc kubectl /usr/local/bin oc version - name: set up go 1.x - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version: '1.26' - name: checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: persist-credentials: false - name: get kernel version @@ -34,7 +34,7 @@ jobs: - name: run end-to-end tests run: make tests-e2e - name: upload e2e test logs - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 if: always() with: name: e2e-logs diff --git a/.github/workflows/push_image.yml b/.github/workflows/push_image.yml index 6cfb575f4..8ab4f69fd 100644 --- a/.github/workflows/push_image.yml +++ b/.github/workflows/push_image.yml @@ -25,7 +25,7 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@f211e3e9ded2d9377c8cadc4489a4e38014bc4c9 # v1.7.0 - name: checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: persist-credentials: false - name: docker login to quay.io @@ -51,11 +51,12 @@ jobs: - name: install make run: sudo apt-get install make - name: set up go 1.x - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version: '1.26' + cache: false - name: checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: persist-credentials: false - name: Test diff --git a/.github/workflows/push_image_pr.yml b/.github/workflows/push_image_pr.yml index 57db1e9eb..a355f0af4 100644 --- a/.github/workflows/push_image_pr.yml +++ b/.github/workflows/push_image_pr.yml @@ -41,7 +41,7 @@ jobs: echo "short_sha=$(echo ${head_sha::8})" >> $GITHUB_ENV echo "main_image=${{ env.WF_REGISTRY }}/${{ env.WF_IMAGE }}:${head_sha::8}" >> $GITHUB_ENV - name: download artifact - uses: actions/download-artifact@v5 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: pr run-id: ${{github.event.workflow_run.id }} @@ -59,7 +59,7 @@ jobs: - name: push images run: | DOCKER_BUILDKIT=1 docker push ${{ env.main_image }} - - uses: actions/github-script@v9 + - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 with: github-token: ${{secrets.GITHUB_TOKEN}} script: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7a9e4851b..a1f7ffc9a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - name: checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: persist-credentials: false - name: validate tag @@ -48,23 +48,12 @@ jobs: run: MULTIARCH_TARGETS="${{ env.WF_MULTIARCH_TARGETS }}" IMAGE_ORG=${{ env.WF_ORG }} VERSION=${{ env.tag }} CLEAN_BUILD=1 make images - name: build plugin artifact run: IMAGE_ORG=${{ env.WF_ORG }} VERSION=${{ env.tag }} make release - - name: create github release - uses: actions/create-release@v1 - id: create_release + - name: create draft release and upload binaries + uses: softprops/action-gh-release@718ea10b132b3b2eba29c1007bb80653f286566b # v3.0.1 with: + tag_name: ${{ env.tag }} + name: ${{ env.tag }} draft: true prerelease: false - release_name: ${{ env.tag }} - tag_name: ${{ env.tag }} + files: netobserv-cli.tar.gz body: Edit to remove this content, click on 'generate release notes' above and publish. It will trigger the krew-release-bot. - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: push plugin artifact - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ steps.create_release.outputs.upload_url }} - asset_path: netobserv-cli.tar.gz - asset_name: netobserv-cli.tar.gz - asset_content_type: application/gzip diff --git a/cmd/prom.go b/cmd/prom.go index 4550bc08d..31d4389a9 100644 --- a/cmd/prom.go +++ b/cmd/prom.go @@ -61,7 +61,7 @@ func newTransport(timeout time.Duration, skipTLS bool, capath string, userCertPa transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} log.Debugf("skipping TLS checks. SSL certificate verification is now disabled !") } else if capath != "" || userCertPath != "" { - transport.TLSClientConfig = &tls.Config{} + transport.TLSClientConfig = &tls.Config{MinVersion: tls.VersionTLS13} if capath != "" { caCert, err := os.ReadFile(capath)