From 2a576e6ce6183d856008882adb5d181ded789ba2 Mon Sep 17 00:00:00 2001 From: Joel Takvorian Date: Fri, 26 Jun 2026 09:37:17 +0200 Subject: [PATCH] Minor security hardening - sha pinning of the remaining github-owned actions - dependabot setting for docker & actions - force tls client minversion --- .github/dependabot.yml | 7 ++++++- .github/workflows/build_image_pr.yml | 4 ++-- .github/workflows/pull_request.yml | 14 +++++++------- .github/workflows/push_image.yml | 11 ++++++----- .github/workflows/push_image_pr.yml | 4 ++-- .github/workflows/release.yml | 9 +++------ pkg/httpclient/http_client.go | 2 +- 7 files changed, 27 insertions(+), 24 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 227c0e531..220f32c6f 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -34,4 +34,9 @@ updates: cypress-docker: applies-to: version-updates patterns: - - "cypress/*" \ No newline at end of file + - "cypress/*" + + - package-ecosystem: "github-actions" + directory: "/.github" + schedule: + interval: "monthly" diff --git a/.github/workflows/build_image_pr.yml b/.github/workflows/build_image_pr.yml index ab08e20e9..04fb4e03e 100644 --- a/.github/workflows/build_image_pr.yml +++ b/.github/workflows/build_image_pr.yml @@ -15,7 +15,7 @@ jobs: name: Build PR image and upload artifact runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: persist-credentials: false - name: Install make @@ -25,7 +25,7 @@ jobs: - name: build and save standalone image run: OCI_BUILD_OPTS="--label quay.expires-after=2w" IMAGE_ORG=${{ env.WF_ORG }} VERSION=tmp CLEAN_BUILD=1 STANDALONE=true make tar-image - name: upload artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: pr path: out/ diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 17b664baa..2932e49d3 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -16,11 +16,11 @@ jobs: - name: install make run: sudo apt-get install make - name: set up go 1.x - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version: '1.26' - name: checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: persist-credentials: false - name: build, lint, test @@ -42,11 +42,11 @@ jobs: - name: install make run: sudo apt-get install make - name: set up node.js - uses: actions/setup-node@v3 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e #v6 with: node-version: 22 - name: checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: persist-credentials: false - name: build and test @@ -66,18 +66,18 @@ jobs: - name: install make run: sudo apt-get install make - name: set up go 1.x - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version: '1.26' - name: checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: persist-credentials: false - name: run benchmark comparison run: make benchmark-server-compare - name: upload benchmark results if: always() - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: benchmark-results path: pkg/server/benchmark-current.txt diff --git a/.github/workflows/push_image.yml b/.github/workflows/push_image.yml index 05a35fa93..13611b7b5 100644 --- a/.github/workflows/push_image.yml +++ b/.github/workflows/push_image.yml @@ -20,7 +20,7 @@ jobs: - name: install make run: sudo apt-get install make - name: checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: persist-credentials: false - name: docker login to quay.io @@ -49,11 +49,12 @@ jobs: - name: install make run: sudo apt-get install make - name: set up go 1.x - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version: '1.26' + cache: false - name: checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: persist-credentials: false - name: Test @@ -75,11 +76,11 @@ jobs: - name: install make run: sudo apt-get install make - name: set up node.js - uses: actions/setup-node@v3 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e #v6 with: node-version: 22 - name: checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: persist-credentials: false - name: Test diff --git a/.github/workflows/push_image_pr.yml b/.github/workflows/push_image_pr.yml index 21bcce0c1..f6bf60a9d 100644 --- a/.github/workflows/push_image_pr.yml +++ b/.github/workflows/push_image_pr.yml @@ -43,7 +43,7 @@ jobs: echo "main_image=${{ env.WF_REGISTRY }}/${{ env.WF_IMAGE }}:${head_sha::8}" >> $GITHUB_ENV echo "sa_image=${{ env.WF_REGISTRY }}/${{ env.WF_IMAGE_SA }}:${head_sha::8}" >> $GITHUB_ENV - name: download artifact - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: pr run-id: ${{github.event.workflow_run.id }} @@ -64,7 +64,7 @@ jobs: run: | DOCKER_BUILDKIT=1 docker push ${{ env.main_image }} DOCKER_BUILDKIT=1 docker push ${{ env.sa_image }} - - uses: actions/github-script@v9 + - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 with: github-token: ${{secrets.GITHUB_TOKEN}} script: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d0e1095cf..def9dd637 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - name: checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: persist-credentials: false - name: validate tag @@ -45,12 +45,9 @@ jobs: run: | MULTIARCH_TARGETS="${{ env.WF_MULTIARCH_TARGETS }}" IMAGE_ORG=${{ env.WF_ORG }} VERSION=${{ env.tag }} CLEAN_BUILD=1 STANDALONE=true make images - name: create draft release - id: create_release - uses: actions/create-release@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + uses: softprops/action-gh-release@718ea10b132b3b2eba29c1007bb80653f286566b # v3.0.1 with: tag_name: ${{ env.tag }} - release_name: ${{ env.tag }} + name: ${{ env.tag }} draft: true prerelease: false diff --git a/pkg/httpclient/http_client.go b/pkg/httpclient/http_client.go index fb55b70ca..a8dc45d8f 100644 --- a/pkg/httpclient/http_client.go +++ b/pkg/httpclient/http_client.go @@ -43,7 +43,7 @@ func NewTransport(timeout time.Duration, skipTLS bool, capath string, userCertPa transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} slog.Warn("skipping TLS checks. SSL certificate verification is now disabled !") } else if capath != "" || userCertPath != "" { - transport.TLSClientConfig = &tls.Config{} + transport.TLSClientConfig = &tls.Config{MinVersion: tls.VersionTLS13} if capath != "" { caCert, err := os.ReadFile(capath)